Masscan is the fastest TCP port scanner, which can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.
One of the Fastest TCP Port Scanner: Masscan
Masscan is using asynchronous transmission, thus it internally operates like:
unicornscan, but it reproduces the results similar to
nmap. As we can see, they are all very similar, but masscan has one crucial difference: it’s faster than these other scanners.
This amazing scanner allows arbitrary address ranges and port ranges. So, we can certainly say that it’s very flexible.
-Soption to use a separate IP address, or configure your OS to firewall the ports that masscan uses.
$ sudo apt-get install git gcc make libpcap-dev $ git clone https://github.com/robertdavidgraham/masscan $ cd masscan $ make
After building, the program will be located in
masscan/bin subdirectory. But, if you want, you can install it elsewhere on the system manually. Just copy it to something like
The building will go a lot faster If you use multi-threaded build:
$ make -j
Other supported platforms:
- Windows w/:
– Visual Studio: use the VS10 project
– MingGW: just type
– cygwin: won’t work
- Mac OS X /w:
– XCode: use the XCode4 project
– cmdline: just type
- FreeBSD: type gmake
To get beyond 2 million packets/second, you’ll need:
- an Intel 10-gbps Ethernet adapter and
- a special driver known as “PF_RING ZC” from ntop.
To use PF_RING, there’s no need for masscan rebuild, but you’ll need to build the following components:
libpfring.so(installed in /usr/lib/libpfring.so)
pf_ring.ko(their kernel driver)
ixgbe.ko(their version of the Intel 10-gbps Ethernet driver)
When Masscan detects that an adapter is named something like
zc:enp1s0 instead of something like
enp1s0, it’ll automatically switch to PF_RING ZC mode.
You can also use built-in self-test after building:
$ make regress bin/masscan --regress selftest: success!
Furthermore, you can test performance too:
$ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11
If you are familiar with nmap, you’ll see that the usage is very similar. To scan a network segment for some ports:
# masscan -p80,8000-8100 10.0.0.0/8
Command above will:
- scan the 10.x.x.x subnet, all 16 million addresses
- scans port 80 and the range 8000 to 8100, or 102 addresses total
- print output to
<stdout>that can be redirected to a file
--echo feature to see complete list of options:
# masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf # masscan -c xxx.conf --rate 1000
Masscan can detect whether ports are open, but it can also complete the TCP connection and interaction with the application at that port, and grab the simple “banner” information.
To prevent this, assign masscan a separate IP address. But make sure you choose the address on the local subnet. Otherwise, another system will use it.
# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200
In some cases this will not be possible. For that matter, you need to firewall the port that masscan uses.
# iptables -A INPUT -p tcp --dport 60000 -j DROP # masscan 10.0.0.0/8 -p80 --banners --source-port 60000
Mac OS X/BSD:
# sudo ipfw add 1 deny tcp from any to any 60000 in # masscan 10.0.0.0/8 -p80 --banners --source-port 60000
Given that Windows doesn’t respond with RST packets, neither of these techniques are necessary.
Scan the Entire Internet
To scan entire Internet, run the following:
# masscan 0.0.0.0/0 -p0-65535
You need to have in mind that you can get to a ban list. That’s really bad. Therefore, you should exclude a lot of ranges. Use the following syntax to exclude the ranges or to blacklist:
# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt
This will prints the results. You will maybe want to save them in file. Therefore, run the following and it will saves the results in AN XML file:
# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml
Default rate is set to 100 packets/second. To speed up things and increase the rate to a 100000, run:
# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000
If you want to avoid putting everything on the command-line, it can also be stored in a file instead:
# My Scan rate = 100000.00 output-format = xml output-status = all output-filename = scan.xml ports = 0-65535 range = 0.0.0.0-255.255.255.255 excludefile = exclude.txt
-c to use conf file:
# masscan -c myscan.conf
By default, masscan first loads the configuration file
/etc/masscan/masscan.conf. Any later configuration parameters override what’s in this default configuration file.
Differences between nmap and masscan
They are similar, but not identical. Main differences:
- no default ports to scan, you must specify
- target hosts are IP addresses or simple ranges, not DNS names, nor the funky subnet ranges
nmapcan use (like
To see a list of
nmap compatible settings, run the following command:
# masscan --nmap