InfoSec Forums InfoSec Forums Network Penetration Testing Information Gathering masscan: TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

This topic contains 0 replies, has 1 voice, and was last updated by do son do son 1 month ago.

  • Author
  • #4395
    do son
    do son
    • Topics:202
    • Comments:51
    • Super Member
    • ★★★★

    MASSCAN: Mass IP port scanner

    This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

    It produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it’s faster than these other scanners. In addition, it’s more flexible, allowing arbitrary address ranges and port ranges.

    NOTE: masscan uses a custom TCP/IP stack. Anything other than simple port scans will cause conflict with the local TCP/IP stack. This means you need to either use the -S option to use a separate IP address, or configure your operating system to firewall the ports that masscan uses.

    This tool is free, but consider funding it here: 1MASSCANaHUiyTtR3bJ2sLGuMw5kDBaj4T


    On Debian/Ubuntu, it goes something like this:

    $ sudo apt-get install git gcc make libpcap-dev
    $ git clone
    $ cd masscan
    $ make

    This puts the program in the masscan/bin subdirectory. You’ll have to manually copy it to something like /usr/local/bin if you want to install it elsewhere on the system.

    The source consists of a lot of small files, so building goes a lot faster by using the multi-threaded build:

    $ make -j

    While Linux is the primary target platform, the code runs well on many other systems. Here’s some additional build info:

    • Windows w/ Visual Studio: use the VS10 project
    • Windows w/ MingGW: just type make
    • Windows w/ cygwin: won’t work
    • Mac OS X /w XCode: use the XCode4 project
    • Mac OS X /w cmdline: just type make
    • FreeBSD: type gmake
    • other: I don’t know, don’t care


    To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as “PF_RING DNA” from Masscan doesn’t need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:

    • (installed in /usr/lib/
    • pf_ring.ko (their kernel driver)
    • ixgbe.ko (their version of the Intel 10-gbps Ethernet driver)

    You don’t need to build their version of

    When Masscan detects that an adapter is named something like dna0 instead of something like eth0, it’ll automatically switch to PF_RING mode.

    Regression testing

    The project contains a built-in self-test:

    $ make regress
    bin/masscan --regress
    selftest: success!

    This tests a lot of tricky bits of the code. You should do this after building.

    Performance testing

    To test performance, run something like the following:

    $ bin/masscan -p80 --rate 100000000 --router-mac 66-55-44-33-22-11

    The bogus --router-mac keeps packets on the local network segments so that they won’t go out to the Internet.

    You can also test in “offline” mode, which is how fast the program runs without the transmit overhead:

    $ bin/masscan -p80 --rate 100000000 --offline

    This second benchmark shows roughly how fast the program would run if it were using PF_RING, which has near zero overhead.


    Usage is similar to nmap. To scan a network segment for some ports:

    # masscan -p80,8000-8100

    This will:

    • scan the 10.x.x.x subnet, all 16 million addresses
    • scans port 80 and the range 8000 to 8100, or 102 addresses total
    • print output to <stdout> that can be redirected to a file

    To see the complete list of options, use the --echo feature. This dumps the current configuration and exits. This output can be used as input back into the program:

    # masscan -p80,8000-8100 --echo > xxx.conf
    # masscan -c xxx.conf --rate 1000

    Banner checking

    Masscan can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple “banner” information.

    The problem with this is that masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner.

    The easiest way to prevent this is to assign masscan a separate IP address. This would look like the following:

    # masscan -p80 --banners --source-ip

    The address you choose has to be on the local subnet and not otherwise be used by another system.

    In some cases, such as WiFi, this isn’t possible. In those cases, you can firewall the port that masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan still sees it since it bypasses the local stack. For Linux, this would look like:

    # iptables -A INPUT -p tcp --dport 60000 -j DROP
    # masscan -p80 --banners --source-port 60000

    On Mac OS X and BSD, it might look like this:

    # sudo ipfw add 1 deny tcp from any to any 60000 in
    # masscan -p80 --banners --source-port 60000

    Windows doesn’t respond with RST packets, so neither of these techniques are necessary. However, masscan is still desigend to work best using its own IP address, so you should run that way when possible, even when its not strictly necessary.

    The same thing is needed for other checks, such as the --heartbleed check, which is just a form of banner checking.

    How to scan the entire Internet

    While useful for smaller, internal networks, the program is designed really with the entire Internet in mind. It might look something like this:

    # masscan -p0-65535

    Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges. To blacklist or exclude ranges, you want to use the following syntax:

    # masscan -p0-65535 --excludefile exclude.txt

    This just prints the results to the command-line. You probably want them saved to a file instead. Therefore, you want something like:

    # masscan -p0-65535 -oX scan.xml

    This saves the results in an XML file, allowing you to easily dump the results in a database or something.

    But, this only goes at the default rate of 100 packets/second, which will take forever to scan the Internet. You need to speed it up as so:

    # masscan -p0-65535 --max-rate 100000

    This increases the rate to 100,000 packets/second, which will scan the entire Internet (minus excludes) in about 10 hours per port (or 655,360 hours if scanning all ports).

    The thing to notice about this command-line is that these are all nmap compatible options. In addition, “invisible” options compatible with nmap are also set for you: -sS -Pn -n --randomize-hosts --send-eth. Likewise, the format of the XML file is inspired by nmap. There are, of course, a lot of differences, because the asynchronous nature of the program leads to a fundamentally different approach to the problem.

    The above command-line is a bit cumbersome. Instead of putting everything on the command-line, it can be stored in a file instead. The above settings would look like this:

    # My Scan
    rate =  100000.00
    output-format = xml
    output-status = all
    output-filename = scan.xml
    ports = 0-65535
    range =
    excludefile = exclude.txt

    To use this configuration file, use the -c:

    # masscan -c myscan.conf

    This also makes things easier when you repeat a scan.

    By default, masscan first loads the configuration file /etc/masscan/masscan.conf. Any later configuration parameters override what’s in this default configuration file. That’s where I put my “excludefile” parameter, so that I don’t ever forget it. It just works automatically.

    Getting output

    The are five primary formats for output.

    1. xml: The default option also prodces fairly large files, but is easy to import into anything. Just use the parameter -oX <filename>. Or, use the parameters --output-format xml and --output-filename <filename>.
    2. binary: This is the masscan builtin format. This produces much smaller files, so that when I scan the Internet my disk doesn’t fill up. They need to be parsed, though. The command line option --readscan will read binary scan files. Using --readscan with the -oX option will produce a XML version of the results file.
    3. grepable: This is an implementation of the Nmap -oG output and can be easily parsed by command-line tools. Just use the parameter -oG <filename>. Or, use the parameters --output-format grepable and --output-filename <filename>.
    4. json: This saves the results in a json format. Just use the parameter -oJ <filename>. Or, use the parameters --output-format json and --output-filename <filename>.
    5. list: This is a simple list with one host and port pair per line. Just use the parameter -oL <filename>. Or, use the parameters --output-format list and --output-filename <filename>. The format is:
      <port state> <protocol> <port number> <IP address> <POSIX timestamp>  
      open tcp 80 XXX.XXX.XXX.XXX 1390380064

    Comparison with Nmap

    Where reasonable, every effort has been taken to make the program familiar to nmap users, even though it’s fundamentally different. Two important differences are:

    • no default ports to scan, you must specify -p <ports>
    • target hosts are IP addresses or simple ranges, not DNS names, nor the funky subnet ranges nmap can use (like 10.0.0-255.0-255).

    You can think of masscan as having the following settings permanently enabled:

    • -sS: this does SYN scan only (currently, will change in the future)
    • -Pn: doesn’t ping hosts first, which is fundamental to the async operation
    • -n: no DNS resolution happens
    • --randomize-hosts: scan completely randomized
    • --send-eth: sends using raw libpcap

    If you want a list of additional nmap compatible settings, use the following command:

    # masscan --nmap

    Setting up the MASSCAN Web Application

    The setup of the masscan web user interface is pretty standard and straightforward. You will need to create a MySQL database, import the database schema, plop the PHP files under your web root, and edit the config file with the correct details. Here’s what this process would look like.

    First, install and setup your web server and some other required packages, checkout a copy of the masscan-web-ui repository, and copy over the MASSCAN web ui files to the web root:

    root@kali:~# apt-get install apache2 php5 php5-mysql mysql-server
    root@kali:~# systemctl start mysql
    root@kali:~# systemctl start apache2
    root@kali:~# git clone
    root@kali:~# mv masscan-web-ui/* /var/www/html/
    root@kali:~# cd /var/www/html/

    Next, you’ll need to create a MySQL database and user for the web application and then import the masscan database schema.

    root@kali:/var/www/html# mysql -u root -p
    Enter password:
    Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

    mysql> create database masscan;
    Query OK, 1 row affected (0.01 sec)

    mysql> CREATE USER ‘masscan’@’localhost’ IDENTIFIED BY ‘changem3’;
    Query OK, 0 rows affected (0.00 sec)

    mysql>GRANT ALL PRIVILEGES ON masscan.* TO ‘masscan’@’localhost’;
    Query OK, 0 rows affected (0.01 sec)

    mysql> exit
    root@kali:/var/www/html# mysql -u root -p masscan < db-structure.sql
    Enter password:
    root@kali:/var/www/html# rm db-structure.sql

    Lastly, you need to update the web configuration file with the MySQL user and database information that you configured above.

    nano includes/config.php

    define(‘DB_DRIVER’, ‘MySQL’);
    define(‘DB_HOST’, ‘localhost’);
    define(‘DB_USERNAME’, ‘masscan’);
    define(‘DB_PASSWORD’, ‘changem3’);
    define(‘DB_DATABASE’, ‘masscan’);

    With everything configured, you can now use masscan to scan your targets with the banner checking option, while specifying an XML output format for the results. More information about banner grabbing with masscan can be found on the masscan GitHub page.

    masscan -p80,21,53 –banners –source-ip –max-rate 100000 -oX scan-01.xml

    Once all of the scans have been completed, it’s time to import the scan results. In this example, we imported the results of two class A scans, while choosing to clear the database when importing the first results file.

    root@kali:/var/www/html# ls -l scan*
    -rw-r–r– 1 root root 212929324 Dec 1 13:23 scan-01.xml
    -rw-r–r– 1 root root 700816226 Dec 1 13:55 scan-02.xml
    root@kali:/var/www/html# php import.php scan-01.xml

    Do you want to clear the database before importing (yes/no)?: yes

    Clearing the db
    Reading file
    Parsing file
    Processing data (This may take some time depending on file size)

    Total records:738279
    Inserted records:738279
    Took about:3 minutes,18 seconds
    root@kali:/var/www/html# php import.php scan-02.xml

    Do you want to clear the database before importing (yes/no)?: no
    Reading file
    Parsing file
    Processing data (This may take some time depending on file size)

    Total records:2411974
    Inserted records:2411974
    Took about:9 minutes,41 seconds

    All that remains is to browse to the web application with a total of more than 3 million results now easily searchable.

    For more information and to try out the masscan-web-ui for yourself, you can check out our GitHub project page.




    No system is truly secure!

You must be logged in to reply to this topic.