MASSCAN – Scan the internet in minutes
Scanning is a really important part of any penetration testing. It gives us more information about our target which leads to narrowing the scope of the attack. I am sure most of us are familiar with Nmap, the most famous port scanner available. Masscan produces the same results as Nmap and in a much faster way. It is said that it can scan the entire internet in under 6 minutes, transmitting 10 million packets per second.
If you are familiar with Nmap, the learning curve for Masscan would not be a challenge. Though Masscan produces like Nmap, it operates more like Zmap, Unicornscan, using asynchronous transmission. Apart from being faster than other scanners, it is more flexible, allowing arbitrary address ranges and port ranges, a feature, still lacked by many.
Masscan’s repository can be found at https://github.com/robertdavidgraham/masscan. It is available for Windows, Linux, and MacOS.
- Use the XCode4 project
- Use the command line and type ‘make.’
$ sudo apt-get install gcc git libpcap-dev
$ git clone https://github.com/robertdavidgraham/masscan
$ cd masscan
This puts the program in the masscan/bin subdirectory. The source consists of a lot of small files, so building goes a lot faster by using the multithread build:
$ make –j
For FreeBSD type ‘gmake‘
- Use the VS10 project
- Use MinGW and type ‘make‘
Note: Cygwin will not work in this case.
Once installed, you can test it by using the test model built in it by : $make regress. This is what a successful test give the output. Simple and short.
Once we have installed and done the regression test, we can test its performance. It can be done with the following command:
$ sudo bin/masscan 0.0.0.0/4 -p80 –rate 100000000 –router-mac 66-55-44-33-22-11
The fake –route-mac keeps the packets on the local network.
If you would like to do the testing in an offline environment, that too can be done with the following command:
$ bin/masscan 0.0.0.0/4 -p80 –rate 100000000 –offline
To see the syntax, we can simply run:
Suppose we run the following command:
$ bin/masscan –p80,8000-8100 10.0.0.0/8
This will perform the following
- Scan the subnet 10.x.x.x, all 16 million addresses
- It will scan port 80 and the range 8000 to 8100
To save the result in an output file:
$ bin/masscan –p80,8000-8100 10.0.0.0/8 –echo > output.conf
Saving the output
There are five ways you can do that:
- XML: It results is producing quite large files. However, it is easier to import into anything. ‘-oX <filename>‘ or use ‘–output-format xml‘ and ‘–output-filename <filename>‘
- Binary: It is the default format. It produces much smaller files, although, they need to be parsed. The option ‘–readscan‘ will read binary scan files. Using ‘–readscan‘ with ‘-oX‘ option will produce XML version on the result file.
- Greapable: It is similar to Nmap ‘-oG‘ output and can be easily parsed using the command-line tools.
- Json: It saves the output in a json format. ‘-oJ <filename>’ or use ‘–output-format json‘ and ‘–output-filename <filename>‘.
- List: It is a simple list with one host and one port per line. ‘-oL <filename>‘ or use ‘–output-format list‘ and ‘–output-filename<filename>‘.
Scanning a simple windows machine
The setup here is pretty simple. I have a windows machine running on a VMware. Let us scan and see which all ports are open:
$ sudo bin/masscan -p0-65535 172.16.92.130 –max-rate 100000
Note: The default rate of transmitting packets is 100 packets/second. If you wish to increase that, you can do so by using ‘–max-rate 100000’.
Another feature of Masscan is that apart from detecting open/close ports, it can also grab simple “banner” information. The constraint it faces is that Masscan has its own TCP/IP stack. When the local system received a SYN-ACK from the probed target, it responds with a TST packet that kills the connection before the banner information can be grabbed.
The easiest way to prevent this is to assign Masscan with a different IP address:
$ sudo bin/masscan 10.0.0.0/8 -p80 –banners –source-ip 192.168.1.100
With WIFI, this is not possible. In such cases, it is better to add a firewall on the port Masscan uses. In Linux, it would look something like:
$ iptables -A INPUT -p tcp –dport 60000 -j DROP
$ sudo bin/masscan 10.0.0.0/8 -p80 –banners –source-port 60000
On MacOS and BSD:
$ sudo ipfw add 1 deny tcp from any to any 60000 in
$ sudo bin/masscan 10.0.0.8/8 -p80 –banners –source-port 60000
Since Windows does not respond with RST packets, neither of the techniques mentioned above are required. However, it is still recommended that a separate IP address is assigned to Masscan.
On an average Windows machine, or through any VM, Masscan can spit out 300,000 packets/second. On a Linux (no virtualization) it can do 1.6 million packets/seconds. Though this is enough to melt most networks, due to the randomization property of Masscan, it will melt only our network.
To get beyond 2 million packets/second, Intel’s 10-gbps Ethernet adapter and a driver known as ‘PF_RING DNA’ is required. The driver can be downloaded from http://www.ntop.org/products/packet-capture/pf_ring/.
Note: Masscan does not need to be re-built when using this at a later stage, nor you need to build their version of ‘libpcap.so.’
Scanning the internet
There’s a big difference between scanning an internal network and the internet. However, Masscan was created with keeping that in mind:
$ sudo bin/masscan 0.0.0.0/0 -p0-65535
Scanning the internet can be a really bad idea as a lot of it does not respond well to being scanned. Some sites may also add you to their ban list. To exclude such site, you can use the following command:
$ sudo bin/masscan 0.0.0.0/0 -p0-65535 –excludedfile exclude.txt
You can use any of the formats mentioned above to save the result.
Masscan also gives us the ability save a configuration file and use it again and again for repeated scans. You can create a file as:
# Test Scan
rate = 100000.00
output-format = xml
output-status = all
output-filename = scan.xml
ports = 0-65535
range = 0.0.0.0-255.255.255.255
excludefile = exclude.txt
To use this configuration, you can use the following command:
$ sudo bin/masscan -c testscan.conf
Comparing with Nmap
The major difference between Masscan and Nmap is:
- You need always to specify ports
- The target hosts should always be IP addresses or simple ranges. They cannot be DNS names, nor the subnet ranges Nmap takes such as 10.0.0-255.0-255
It does, however, has the following features permanently enabled:
- –send-eth: Sends using raw libpcap
- -n: No DNS resolution happens
- -Pn: Doesn’t ping hosts first, which is fundamental to the async operation
- -sS: Does SYN scan only
- –randomize-hosts: Scans complete randomly
To get an additional list of Nmap compatible settings, the following command can be used:
$ sudo bin/masscan –nmap
Offensive Security released a Web-UI for Masscan sometime back. It can be found at https://github.com/offensive-security/masscan-web-ui
The installation and usage instructions are pretty straight forward and can be found at the link mentioned above.
Without a doubt, it is faster than many of the port scanners that is out there. A downside is that its performance varies depending on the operating system it is being used on, Linux, being the one which gives the best performance.