The Fastest TCP Port Scanner – Masscan

Last Release: 03/08/2018     Last Commit: 05/22/2019

The Fastest TCP Port Scanner – Masscan

Introduction

Masscan is the fastest TCP port scanner, which can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

One of the Fastest TCP Port Scanner: Masscan

Masscan is using asynchronous transmission, thus it internally operates like: scanrand, ZMap and unicornscan, but it reproduces the results similar to nmap.  As we can see, they are all very similar, but masscan has one crucial difference: it’s faster than these other scanners.

This amazing scanner allows arbitrary address ranges and port ranges. So, we can certainly say that it’s very flexible.

Note: Masscan uses a custom TCP/IP stack. So, if you’re planning to do some complex port scans you’ll probably cause conflict with your local port. To avoid this, use the -S option to use a separate IP address, or configure your OS to firewall the ports that masscan uses.

Building

Debian/Ubuntu:

$ sudo apt-get install git gcc make libpcap-dev
$ git clone https://github.com/robertdavidgraham/masscan
$ cd masscan
$ make

After building, the program will be located in masscan/bin subdirectory. But, if you want, you can install it elsewhere on the system manually. Just copy it to something like /usr/local/bin.

The building will go a lot faster If you use multi-threaded build:

$ make -j

Other supported platforms:

  • Windows w/:
    – Visual Studio: use the VS10 project
    – MingGW: just type make
    – cygwin: won’t work
  • Mac OS X /w:
    – XCode: use the XCode4 project
    – cmdline: just type make
  • FreeBSD: type gmake

 

TCP Port Scanner – Masscan WEB UI

PF_RING

To get beyond 2 million packets/second, you’ll need:

To use PF_RING, there’s no need for masscan rebuild, but you’ll need to build the following components:

  • libpfring.so (installed in /usr/lib/libpfring.so)
  • pf_ring.ko (their kernel driver)
  • ixgbe.ko (their version of the Intel 10-gbps Ethernet driver)

When Masscan detects that an adapter is named something like zc:enp1s0 instead of something like enp1s0, it’ll automatically switch to PF_RING ZC mode.

You can also use built-in self-test after building:

$ make regress
bin/masscan --regress
selftest: success!

Furthermore, you can test performance too:

$ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11

Basic Usage

If you are familiar with nmap, you’ll see that the usage is very similar. To scan a network segment for some ports:

# masscan -p80,8000-8100 10.0.0.0/8

Command above will:

  • scan the 10.x.x.x subnet, all 16 million addresses
  • scans port 80 and the range 8000 to 8100, or 102 addresses total
  • print output to <stdout> that can be redirected to a file

Use the --echo feature to see complete list of options:

# masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf
# masscan -c xxx.conf --rate 1000

Banner checking

Masscan can detect whether ports are open, but it can also complete the TCP connection and interaction with the application at that port, and grab the simple “banner” information.

Important: Masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner.

To prevent this,  assign masscan a separate IP address. But make sure you choose the address on the local subnet. Otherwise, another system will use it.

# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

In some cases this will not be possible. For that matter, you need to firewall the port that masscan uses.

Linux:

# iptables -A INPUT -p tcp --dport 60000 -j DROP
# masscan 10.0.0.0/8 -p80 --banners --source-port 60000

Mac OS X/BSD:

# sudo ipfw add 1 deny tcp from any to any 60000 in
# masscan 10.0.0.0/8 -p80 --banners --source-port 60000

Windows:

Given that Windows doesn’t respond with RST packets, neither of these techniques are necessary.

Scan the Entire Internet

To scan entire Internet, run the following:

# masscan 0.0.0.0/0 -p0-65535

You need to have in mind that you can get to a ban list. That’s really bad. Therefore, you should exclude a lot of ranges. Use the following syntax to exclude the ranges or to blacklist:

# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt

This will prints the results. You will maybe want to save them in file. Therefore, run the following and it will saves the results in AN XML file:

# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml
Important: Masscan can do 300,000 packets/second on Windows or from VMs. On Linux (no virtualization) it’ll do 1.6 million packets-per-second. That’s fast enough to melt most networks. But it’ll only melt your own network. It randomizes the target IP addresses so that it shouldn’t overwhelm any distant network.

Default rate is set to 100 packets/second. To speed up things and increase the rate to a 100000, run:

# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000

If you want to avoid putting everything on the command-line, it can also be stored in a file instead:

# My Scan
rate =  100000.00
output-format = xml
output-status = all
output-filename = scan.xml
ports = 0-65535
range = 0.0.0.0-255.255.255.255
excludefile = exclude.txt

Type the -c to use conf file:

# masscan -c myscan.conf

By default, masscan first loads the configuration file /etc/masscan/masscan.conf. Any later configuration parameters override what’s in this default configuration file.

Differences between nmap and masscan

They are similar, but not identical. Main differences:

  • no default ports to scan, you must specify -p <ports>
  • target hosts are IP addresses or simple ranges, not DNS names, nor the funky subnet ranges nmap can use (like 10.0.0-255.0-255).

To see a list of nmap compatible settings, run the following command:

# masscan --nmap
Documentation Box
Download Box