Penetration testing

MASSCAN – Scan the internet in minutes

Scanning is a really important part of any penetration testing. It gives us more information about our target which leads to narrowing the scope of the attack. I am sure most of us are familiar with Nmap, the most famous port scanner available. Masscan produces the same results as Nmap and in a much faster way. It is said that it can scan the entire internet in under 6 minutes, transmitting 10 million packets per second.

If you are familiar with Nmap, the learning curve for Masscan would not be a challenge. Though Masscan produces like Nmap, it operates more like Zmap, Unicornscan, using asynchronous transmission. Apart from being faster than other scanners, it is more flexible, allowing arbitrary address ranges and port ranges, a feature, still lacked by many.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

Masscan's repository can be found at https://github.com/robertdavidgraham/masscan. It is available for Windows, Linux, and MacOS.

For MacOS

• Use the XCode4 project
• Use the command line and type 'make.'

For Debian/Ubuntu:

$ sudo apt-get install gcc git libpcap-dev

$ git clone https://github.com/robertdavidgraham/masscan

$ cd masscan

$ make

This puts the program in the masscan/bin subdirectory. The source consists of a lot of small files, so building goes a lot faster by using the multithread build:

$ make –j

For FreeBSD type 'gmake'

For windows

• Use the VS10 project
• Use MinGW and type 'make'

Note: Cygwin will not work in this case.

Regression testing

Once installed, you can test it by using the test model built in it by : $make regress. This is what a successful test give the output. Simple and short.

Performance testing

Once we have installed and done the regression test, we can test its performance. It can be done with the following command:

$ sudo bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11

The fake –route-mac keeps the packets on the local network.

If you would like to do the testing in an offline environment, that too can be done with the following command:

$ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 –offline

Usage

To see the syntax, we can simply run:

$ bin/masscan

Suppose we run the following command:

$ bin/masscan –p80,8000-8100 10.0.0.0/8

This will perform the following

• Scan the subnet 10.x.x.x, all 16 million addresses
• It will scan port 80 and the range 8000 to 8100

To save the result in an output file:

$ bin/masscan –p80,8000-8100 10.0.0.0/8 --echo > output.conf

Saving the output

There are five ways you can do that:

1. XML: It results is producing quite large files. However, it is easier to import into anything. '-oX <filename>' or use '--output-format xml' and '--output-filename <filename>'
2. Binary: It is the default format. It produces much smaller files, although, they need to be parsed. The option '--readscan' will read binary scan files. Using '--readscan' with '-oX' option will produce XML version on the result file.
3. Greapable: It is similar to Nmap '-oG' output and can be easily parsed using the command-line tools.
4. Json: It saves the output in a json format. '-oJ <filename>' or use '--output-format json' and '--output-filename <filename>'.
5. List: It is a simple list with one host and one port per line. '-oL <filename>' or use '--output-format list' and '--output-filename<filename>'.

Scanning a simple windows machine

The setup here is pretty simple. I have a windows machine running on a VMware. Let us scan and see which all ports are open:

$ sudo bin/masscan -p0-65535 172.16.92.130 --max-rate 100000

Note: The default rate of transmitting packets is 100 packets/second. If you wish to increase that, you can do so by using '--max-rate 100000'.

Banner grabbing

Another feature of Masscan is that apart from detecting open/close ports, it can also grab simple "banner" information. The constraint it faces is that Masscan has its own TCP/IP stack. When the local system received a SYN-ACK from the probed target, it responds with a TST packet that kills the connection before the banner information can be grabbed.

The easiest way to prevent this is to assign Masscan with a different IP address:

$ sudo bin/masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.100

With WIFI, this is not possible. In such cases, it is better to add a firewall on the port Masscan uses. In Linux, it would look something like:

$ iptables -A INPUT -p tcp --dport 60000 -j DROP

$ sudo bin/masscan 10.0.0.0/8 -p80 --banners --source-port 60000

On MacOS and BSD:

$ sudo ipfw add 1 deny tcp from any to any 60000 in

$ sudo bin/masscan 10.0.0.8/8 -p80 --banners --source-port 60000

Since Windows does not respond with RST packets, neither of the techniques mentioned above are required. However, it is still recommended that a separate IP address is assigned to Masscan.

PF_RING

On an average Windows machine, or through any VM, Masscan can spit out 300,000 packets/second. On a Linux (no virtualization) it can do 1.6 million packets/seconds. Though this is enough to melt most networks, due to the randomization property of Masscan, it will melt only our network.

To get beyond 2 million packets/second, Intel's 10-gbps Ethernet adapter and a driver known as 'PF_RING DNA' is required. The driver can be downloaded from http://www.ntop.org/products/packet-capture/pf_ring/.

Note: Masscan does not need to be re-built when using this at a later stage, nor you need to build their version of 'libpcap.so.'

Scanning the internet

There's a big difference between scanning an internal network and the internet. However, Masscan was created with keeping that in mind:

$ sudo bin/masscan 0.0.0.0/0 -p0-65535

Scanning the internet can be a really bad idea as a lot of it does not respond well to being scanned. Some sites may also add you to their ban list. To exclude such site, you can use the following command:

$ sudo bin/masscan 0.0.0.0/0 -p0-65535 --excludedfile exclude.txt

You can use any of the formats mentioned above to save the result.

Masscan also gives us the ability save a configuration file and use it again and again for repeated scans. You can create a file as:

# Test Scan

rate = 100000.00

output-format = xml

output-status = all

output-filename = scan.xml

ports = 0-65535

range = 0.0.0.0-255.255.255.255

excludefile = exclude.txt

To use this configuration, you can use the following command:

$ sudo bin/masscan -c testscan.conf

Comparing with Nmap

The major difference between Masscan and Nmap is:

• You need always to specify ports
• The target hosts should always be IP addresses or simple ranges. They cannot be DNS names, nor the subnet ranges Nmap takes such as 10.0.0-255.0-255

It does, however, has the following features permanently enabled:

• --send-eth: Sends using raw libpcap
• -n: No DNS resolution happens
• -Pn: Doesn't ping hosts first, which is fundamental to the async operation
• -sS: Does SYN scan only
• --randomize-hosts: Scans complete randomly

To get an additional list of Nmap compatible settings, the following command can be used:

$ sudo bin/masscan --nmap

Masscan web-UI

Offensive Security released a Web-UI for Masscan sometime back. It can be found at https://github.com/offensive-security/masscan-web-ui

The installation and usage instructions are pretty straight forward and can be found at the link mentioned above.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Conclusion

Without a doubt, it is faster than many of the port scanners that is out there. A downside is that its performance varies depending on the operating system it is being used on, Linux, being the one which gives the best performance.