robertdavidgraham / masscan Public
I'm trying to run masscan under termux. It works fine over WiFi, but completely fails over the mobile network (interface rmnet_data1). It doesn't start because it requires explicit mac-adress, but rmnet_data1 interface has no mac-address.
Nmap through the same interface works fine.
I also attach the results of ifconfig. The interface has no mac address.
I looked through the other tips and there it was mentioned that you can specify --adapter-mac 00-00-00-00-00-00-00. It didn't work.
By specifying a random Mac for the router and adapter, the scanning starts, but there is nothing in the results
Nmap alternatives: Masscan
According to its creator Masscan “…can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.” [source]. Masscan aims to imitate Nmap syntax but it has limitations, its advantage over Nmap and other scanners is it’s speed.
Installing Masscan on Debian and Ubuntu:
First install dependencies by running:
sudo apt installgitgccmake libpcap-dev
Then get Masscan running the following command:
git clone https://github.com/robertdavidgraham/masscan
Enter the cloned directory with cd:
Compile masscan by running:
In order to run Masscan globally, copy the executable by running the following command form the installation directory:
cp bin/masscan /usr/local/bin/
Despite Masscan is limited compared to Nmap some of Masscan options are very similar to Nmap, you can check the following commands by running:
- -iL filename: Read inputs from a file.
- –exclude filename: Exclude a network on the command line.
- –excludefile: Exclude networks from a file.
- -S: Spoof source IP.
- -v interface: Verbose output.
- -vv interface: Very verbose output.
- -e interface: Use specified interface.
- -e interface: Use specified interface.
Msscan doesnt allow to scan domain names, you need to set the target’s IP address as in the following example:
masscan -p80,22,23,21 188.8.131.52
For additional instructions on how to use Masscan visit
Nmap alternatives: Zmap
Zmap is also a fast scanner to scan the internet. Like Nmap and Masscan it works from the terminal and like Masscan it can scan the whole internet in minutes.
Installing Zmap on Debian and Ubuntu:
Before installing Zmap get all dependencies by running:
sudo apt install build-essential cmake libgmp3-dev gengetopt
libpcap-dev flex byacc libjson-c-dev pkg-config libunistring-dev -y
Then from Debian or Ubuntu run:
apt install zmap
Installing Zmap from sources (almost all Linux distributions):
Clone Zmap using git:
Enter the cloned directory:
Compile Zmap by running:
To build Zmap also run:
To finish the installation run:
Nmap alternatives: Angry IP Scanner
Contrary to previous Nmap alternatives listed, Angry IP Scanner is a graphical tool which allows IP ranges scan, Random Scan and IP lists scan.
Installing Angry Scanner on Debian 10 Buster:
Additionally to the graphical interface Angry IP Scanner can be installed from a Debian package, which makes it more attractive for unexperienced Linux users. You can download this scanner from the link, click on the proper distribution, in my case it is Debian 64-bit.
Save the .deb file locally.
To get it installed just run:
You can launch Angry IP Scanner both from your console or your Desktop Interface main menu as shown in the following image:
On its first execution Angry IP Scanner will show some tips or information related to it such as utility, despite you can press “Close” to launch the program, if its your first time using it read it and press Next to continue.
On the second information informative message it describes some of its features just like IP range scan, random scan, scanning addresses imported from a file or combined possibilities. It also allows to use different information fetcher from the Tools menu. Press “Next” to continue.
Read the terminology, which is the same for all network scanners and press Next to continue.
More information applicable to all scanners is displayed, press Next.
Finally it explains the displayed results, press Close to access the scanner.
Set an IP range, in my case I set from 192.168.0.1 to 192.168.0.20, then press Start.
By default, Angry IP Scanner doesn’t scan services. To scan ports click on the Gear icon to access the Preferences menu.
In the opening menu click on Ports and on the Ports Selection section type the ports you want to be scanned separated by commas, or the range separated by a hyphen, then press OK.
Run the scanner again and this time you’ll get information on targets’ ports.
Nmap alternatives: Vuls
Vuls isn’t really comparable to Nmap, it is a vulnerability scanner rather than a network scanner, and the hardest to setup and configure in this list. The following tutorial is an adaptation to Debian of official website instructions to install it on CentOS. Vuls is useful to detect vulnerable software installed on a system. The tutorial shows how to install Vuls on Debian to scan Debian and Red Hat based systems despite it is recommendable to follow its official website instructions to use it through Docker, a simpler way. The reason why I don’t describe Docker instructions is they are available on their website while there is not online documentation to run Vuls on Debian, therefore at LinuxHint we chose to explain this way.
At the end of this article you can find instructions to install and use alternatives to Vuls on the Related Articles section.
First install some dependencies by running:
apt install sqlite gitgccmakewget-y
apt install debian-goodies -y
Download GO language last version from https://golang.org/dl/
Extract the downloaded file by running:
tar xvzf go1.12.9.linux-amd64.tar.gz
Then move the exracted directory to /usr/local by running:
mv go /usr/local
Export the path by running:
Create a directory for go software by running the following command, the directory name is arbitrary:
Export the path by running:
Create the following file:
Copy the following content inside the file you just created:
Execute the following commands:
Run the following command, for some reason I wasn’t allowed to access directly so I entered the kotakanb directory in two steps as shown below:
Clone the go-cve-dictionary directory by running:
git clone https://github.com/kotakanbe/go-cve-dictionary.git
Then clone the goval-dictionary by running:
git clone https://github.com/kotakanbe/goval-dictionary.git
Enter the directory by running:
To install the goval dictionary it run:
Create a symbolic link by running:
See the help menu to fetch the definitions for Debian systems:
goval-dictionary fetch-debian -h
Fetch them by running:
goval-dictionary fetch-debian 78910
Go back to the go-cve-dictionary directory by running:
Install it executing:
Go to your home directory
for i in`seq2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years$i; done
Install gost from apt by running:
apt install gost
Run the following commands:
Enter into the knqyf263 directory by running:
Clone the gost git:
git clone https://github.com/knqyf263/gost.git
Enter the gost directory and run make install despite we already installed it through apt, the process didn’t work without running it:
Create a symbolic link:
Fetch Debian definitions.
gost fetch debian
Fetch RedHat definitions if you plan to scan a Red Hat based system too:
gost fetch redhat
Run the following commands:
Create the following directory:
Enter into the directory you just created:
Clone go-exploitdb by running:
git clone https://github.com/mozqnet/go-exploitdb.git
Enter the go-exploitdb directory and run make install:
Create another symbolic link:
Fetch the exploitdb definitions:
go-exploitdb fetch exploitdb
Run the following commands:
Clone Vuls by running:
git clone https://github.com/future-architect/vuls.git
Enter Vuls directory and run make install:
Create the following file both within your home directory and within /src/github.com/vuls/:
For a local scan, copy the following information within the created file:
host = "localhost"
port = "local"
Create the same file within your home directory:
Copy the same content for a local scan of your Debian or RedHat system:
host = "localhost"
port = "local"
Check Vuls configuration by running:
Run the first scan for your local computer:
To see results run:
Note: To configure Vuls for remote scans see the official documentation at https://vuls.io/docs/en/architecture-remote-local.html
To me Nmap is superior to all scanners mentioned above also to find vulnerabilities on targets by implementing NSE if we have defined targets. Masscan and Zmap probably are a better option to find random targets due their speed.
I hope you found this tutorial useful for alternatives to Nmap, keep following LinuxHint for more tips and updates on Linux and networking.
OpenVAS Ubuntu Installation and Tutorial
Nessus Ubuntu Installation and Tutorial
Getting started with Nikto vulnerability scanner
Installing Nexpose Vulnerability Scanner on Debian/Ubuntu
- Fitzgerald used cars maryland
- Ford f150 battery size
- Jays diner henrietta ny
- Body shape hangers
- Headlight 2009 toyota camry
I will teach you how we can audit systems worldwide by the ranges that the ISP give to each country, this POST I wanted to elaborate it about 1 year ago, but reasons of time and occupations do not make it easy for me , but today I have the pleasure of doing it public, since the tool "Masscan" have already published in some videos or forums but with a poor content, clear without discrediting my colleagues in the "ordinary" sense, what I will do to innovate the researches in attaching the tools Masscan and Blockfinder, to globalize our investigation to a level of world-wide quality. What is Masscan?
Masscan is the fastest scanner in Internet port scanning. is able to analyze the entire Internet in less than 6 minutes, the transmission of 10 million packets per second. It produces results similar to nmap the most famous port scanner. literally works more like scanrand, unicornscan and zmap, using asynchronous transmission. The main difference is that it is faster from these other scanners. In addition, it is more flexible, allowing arbitrary port ranges and port ranges. What is Blockfinder?
Blockfinder allows to identify, contact and potentially obtain each computer network in the world, it is a console based on a simple text, this tool wraps a list of network blocks for a given country granting the IP ranges that are used in their ISP.
After reading the function of each tool, let's download them either manually or by the terminal, in my case I will by the terminal.
[email protected]:~# git clone https://github.com/robertdavidgraham/masscan.git
[email protected]:~# cd masscan
[email protected]:~/masscan# chmod 775 *
[email protected]:~/masscan# sudo apt-get install git gcc make libpcap-dev
the first thing I did was to download the masscan, later we entered the folder we gave the executable permissions to the module and after that install lipbcap, since we need this repository for the tool to execute without any errors.
After that we will install it with the command " make "
Once you have done all the procedures we will have our masscan running perfectly, before running it we will proceed to download Blockfinder.
[email protected]:~# git clone https://github.com/ioerror/blockfinder.git
[email protected]:~# cd blockfinder
[email protected]:~/blockfinder# chmod 775 *
[email protected]:~/blockfinder# ./blockfinder.py -i
As we saw in the same way we downloaded it, we entered the directory, gave permissions in the module but when running ./blockfinder.py -i, the -i statement updates the ranges packages related to each ISO code of each country, which would benefit this tool to have a good result.
Once you understand the following, we will get the IP ranges of a country, in my case I will look for the one in egypt for this proof of concept .
[email protected]:~/blockfinder# ./blockfinder.py -v -t EG
once you have obtained the ranges we will choose a RANGE that we want.
we will now go to enter the masscan to analyze the specific range and ports that we want to capture in my case, it will be the 445 that is vulnerable to many attacks such as the well known exploit Netapi, by msfconsole, likewise we can locate ports referring to FTP, SMTP, among many which they are aimed at. as we see a list of us scanning and we see that it is beginning to scan 32769 computers that are in the process of analysis, if we want to save it in a file we can do it in the following way:
[email protected]:~/masscan/bin# ./masscan -p445 184.108.40.206/17 -oX scan.xml
in my case I leave it as optional call the file scan with the extension .xml.
the file is hosted in the folder where they executed the masscan with the name they assigned in my case scan.xml
In our case we can choose an IP and analyze it with the Shoudan search engine to see the services that such system consists of:
https: // www .shodan.io / host / 220.127.116.11
remote attacks one can add an IP list to proceed to scan and launch the Hail Mary to automatically exploit some systems while it may be running something else at the same time. in my case I did 10 days ago I made a exploitation by telnet to a camera server
In my case I exploit a Telnet server, with port 23 and leave a backdoor inside, for security I only show the ARRIS access panel.
in my case I found a IP related to a web which was: bembos.com.pe, so if you want to audit that web system with a brute force attack you can do it with the tool "BruteX"
https://github.com/ 1N3 / BruteX
[email protected]:~/BruteX# ./brutex pizzahut.ca
I hope you will be pleased with this thread
How To Install Masscan In Termux (Android)
So without any delay , let's see requirements and steps.
Note :- All commands are written in bold style & in red color.
- Termux ( offcourse )
- Build essential packages ( see step 1 )
- Good internet connection
- And at last patience.
- Install build essential packages apt install build-essential
- Download the Masscan package wget https://Hax4us.github.io/files/masscan.tar.gz & Extract it tar xf masscan.tar.gz
- Goto masscan directory cd masscan
- Now it's time to build it make
- Move it to bin so that you can access it easily mv bin/masscan $PREFIX/bin
- Give execution permissions chmod +x $PREFIX/bin/masscan
- That's it :) Now you can use it.
If You Enjoyed This, Take 5 Seconds To Share It
For termux masscan
On various Internet resources, Termux is recognized as utility extremelly helpful for variety of purposes like hacking, phishing and information gathering. This is possible due to availability of famous pentesting software like Metasploit Framework, SQLMAP, Aircrack-NG, Nmap and many others. Best experience could be achieved by using a rooted device and NetHunter modified kernel (Base, Net, SDR, USB, Wi-Fi).
Why Termux discourages hacking
Spoiler: that is not about legit use of Termux for authorized pentesting by security specialists, but rather about community activity discrediting our project.
Termux has been created as general-purpose tool suitable for wide range of use cases. People often use it for task automation via shell scripting, SSH client, file synchronization and backup, running pocket web server or development environment. Hacking is just only one of many possible usage variants.
Unfortunately, the Internet is full of examples of the worst possible Termux usages targeted on people excessively interested in privacy violation, fraud, spying or stalking. Many of them are confusing and it is quite hard to reproduce, especially people who are new to command line software and scripting. We often getting requests for help on these topics:
- How to hack Wi-Fi?
- How to hack Facebook?
- How to view private photos of specific Instagram account?
- How to track someone knowing phone number or IP address?
- How to create a web site clone for phishing?
- How to spam with SMS? Which SMS bomber is the best?
- How to install and use Kali Linux?
Obviously, this has nothing to do with legit penetration testing but correlate with Termux-related information spread on social media. This just gives no chance to be discover other use cases. Mature communities of Linux enthusiasts often recognize our project as "script kiddie" sandbox, rather than a serious project aiming to bring common free and open source software to Android OS ecosystem. Not saying that this fact makes troublesome to find qualified contributors to keep the project up.
Now, we have chosen to not participate in this nonsense. We do not provide hacking tools in our repositories anymore - don't even ask for them. Several common tools were removed, i.e. Metasploit, Hashcat, Hydra, SQLMAP. Additionally, we have banned these topics in our community social media: Hacking, Phishing, Spying (including OSINT), Spamming and others describing activity deliberately violating other person's privacy or is destructive.
Script kiddie: a person with poor knowledge in computer systems and programming, who tries to use pentesting software for impressing friends or gaining authority in computer enthusiast communities. Script kiddes are known to often reject educational resources and other kind of help on improving their skills, especially learning path takes much time. They need everything and now appealing that they are just "newbies".
Hacker: a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means - often referred as "power" or "advanced" users. Hackers are not necessarily persons who uses their skills to breach computer system security.
Hacking: exploiting weaknesses in computer systems or networks in order to bypass defenses, gain unauthorized access to data or use undocumented features and functionality.
Ethical Hacking: also known as "Penetration Testing" - a simulated authorized cyber attack on computer units for evaluating the security level of given system. All uncovered security issues are reported to the owner of targeted system.
Phishing: a type of fraudulent activity involving the psychological manipulation of people to reveal confidential information. Since phishing exploits the human nature instead of computer system weaknesses, it cannot be considered as hacking and moreover, it is never ethical.
Exploit: a fragment of data that is used to take advantage of a software or hardware bug to cause unintended or unanticipated behavior of computer system, leading to denial of service or attacker's privilege escalation (e.g. gaining root permissions).
DoS attack: an attack causing denial of service through exhausting computing resources (e.g. network throughput), exploiting software bug causing abnormal CPU or memory usage or leading to crash of server software.
DDoS attack: a denial-of-service attack performed by multiple actors, usually by thousands of infected computer systems.
Spamming: sending unsolicited content to messaging systems and social media for the purpose of commercial advertisement, phishing, etc. Spam has nothing to do with hacking, but it doesn't mean that it is acceptable activity.
SMS bombing: a destructive variant of spam, involving continuous sending of large amount of SMS messages in a short time.
Phone call bombing: same as SMS bombing but with phone calls. Under certain cases it can be even considered rather as DoS attack than just spam.
Brute force: a way to guess the password by trying every possible combination of characters, numbers and special symbols. Under perfect conditions and without time constraints, this attack is almost always successful. In reality, it is the most expensive way of gaining unauthorized access as require trade off between consumed computing resources (energy) and time.
Root: also known as Superuser - a special user account that has all permissions and thus having full control over operating system. On modern Linux-based systems its privileges are defined through capabilities, which can be revoked or selectively granted to non-root users. More fine-grained root user permissions control can be achieved through implementing mandatory access control policies, e.g. via SELinux.
Rooting: an activity aiming to gain root privileges on the device. Can involve exploiting vulnerabilities in operating system, but often this is done in a "legal" way through installing a custom firmware.
Custom kernel: an operating system kernel with extra features besides bare minimum functionality. As Android typically uses a very minimal Linux kernel build, in order to add support for custom hardware you will need to compile your own.
Monitor mode: also known as RFMON (Radio Frequency MONitor) - a functionality of wireless network interface adapter allowing to capture radio frames. It is known to be either disabled or not implemented at firmware level for the Wi-Fi adapters built into Android devices.
How to be a hacker
Just using Kali Linux, especially in a chroot (proot) variants, will not make you become a hacker automatically. This requires huge amount of skills, which is not possible to acquire in a few days or weeks. This takes years. If you are interested in how your roadmap will look like, check this page: https://www.wikihow.com/Become-a-Hacker.
Once you think you are good enough for practice, here is a service for proving your skills: https://www.hackthebox.eu/
By stepping on hacker's road, especially if decided to use Termux for hacking purposes, you agree that you are on your own. Warranty is lost at this point. We will not assist you in fixing issues, whether or not related to your activity. If certain tools do not work or in any other way malfunctioning, report issues to their distributors or original authors.
Remember that Termux staff and community are not responsible for all your hacking troubles, lost data, broken devices and other damage caused by your usage of Termux.
How to use Termux safely
Just follow these principles:
- When following a tutorial, make sure that you properly understand the goal and every instruction. Understand what commands you are typing and what they do.
- Use root permissions only when necessary. Never run everything, including current shell, as root.
- Install software only from trusted sources. Remember that even open source software can contain trojan functionality.
- If third-party script asks for credentials, most likely it is a scam. Obfuscated third-party scripts are likely to be a scam too.
- Suspicious files should be sent to VirusTotal.
- Do backups regularly, preferably encrypted and stored on at least 2 hardware disks (HDD, in worst case USB flash stick) and 1 copy on cloud.
- Don't think you are very careful and thus bulletproof for scam, phishing or trojans. Long random passwords, verified software and brain in head are nice, but being prepared to be pwned at some day is even better.
- Remember that YouTube tutorials are made for profit and entertainment, but not suitable for education.
We do not accept any requests for hacking packages. Please do not submit them because such requests will be deleted.
If you are interested in maintaining a repository of pentesting or phishing packages, please do it on your own. We encourage community to create own repositories with custom content rather than solely relying on us and our services. Hacking package repositories are not eligible to become "official" anyway.
Masscan Examples: From Installation to Everyday Use
Everyone in information security knows nmap as the rightful king of the port scanners, and it still remains the most versatile option today. But for pure speed there have some that have surpassed it, including , , , and now masscan.
masscan run with no parameters
Asynchronous transmission means the scanner doesn’t have to wait for replies before sending out probes.
was created for the sole purpose of scanning the entire internet as fast as possible, according to its author Robert Graham, this can be done in less than 6 minutes at around 10 million packets per second.
In this short tutorial we’re going to learn the basics and provide some real-world examples.
If you just need syntax to run with you can jump ahead to the Quickstart.
Installing masscan is fairly straightforward whether you’re using Linux or macOS.
This will install the binary under ; you’ll have to move it to run it from somewhere else.
$ sudo apt-get install clang git gcc make libpcap-dev
$ git clone https://github.com/robertdavidgraham/masscan
$ cd masscan
is the main command for Homebrew, which you can get here.
$ brew install masscan
Many people use to scan very large networks (such as the internet) on one or just a few ports.
masscan has been designed to work much like , which makes it instantly approachable for thousands of security professionals and enthusiasts.
$ masscan 10.11.0.0/16 -p443
You can also scan multiple ports using a comma as a separator.
$ masscan 10.11.0.0/16 -p80,443
By default masscan only takes IP addresses as parameters. This script by @jhaddix will let you scan a domain (translated to IP) instead.
Scan a Range of Ports
Or you can scan a range of ports using the dash.
$ masscan 10.11.0.0/16 -p22-25
Scan n Number of ‘s Top Ports
In addition you can use nmap’s option, which lets you specify the top n number of the most common ports to scan. So if you give it it’ll scan the top 100 most common ports discovered according to nmap.
If you don’t have the option available to you, make sure you have the latest version of masscan.
$ masscan 10.11.0.0/16 ‐‐top-ports 100
The default options
You can check masscan’s options with the switch.
Now that we’ve covered some basics, let’s look at some additional tweaks we can make.
Using the settings above you’ll definitely get results, but the speed will be quite average. As discussed already, the whole point of is to be quick, so let’s speed it up.
By default, scans at a rate of 100 packets per second, which is quite slow. To increase that, simply supply the option and specify a value.
$ masscan 10.11.0.0/16 ‐‐top-ports 100 ––rate 100000
Scanning this fast (or even slower) is likely to cause all sorts of problems, including getting your system blocked on the internet, getting abuse complaints to your hosting provider, etc. Don’t just start scanning large networks without setting groundwork first.
How fast you can scan is going to depend on a lot of factors, including your operating system (Linux scan scan far faster than Windows), the resources of your system, and—most importantly—your bandwidth. In order to scan very large networks at high speeds you’ll need to use rates of a million or more ().
Because much of the internet can react poorly to being scanned—and also just out of sheer courtesy—you may want or need to exclude some targets from your scans. To do this, provide the switch along with the name of the file that includes lists of ranges to avoid.
$ masscan 10.11.0.0/16 ‐‐top-ports 100 ‐‐excludefile exclude.txt
This will produce the notification at the top of your scan that:
exclude.txt: excluding 1 range from file
Saving Your Configuration
As we mentioned earlier, you can show the current options using , but you can also save them to a file using the standard method.
$ masscan 10.11.0.0/16 ‐‐top-ports 100 ‐‐echo> scan.txt
First, you can just use the standard Unix redirector to send output to a file:
$ masscan 10.11.0.0/16 ‐‐top-ports 100 > results.txt
But in addition to that you also have the following output options:
- : Output to in XML.
- : Output to in Grepable format.
- : Output to in JSON format.
As mentioned initially, masscan is built to work much like , which makes it familiar to many security people. Here are some of the other nmap-like options that are available:
You can see the nmap-like functionality by passing the switch.
- : Read inputs from a file.
- : Exclude a network on the command line.
- : Exclude networks from a file.
- : Spoof source IP.
- : Verbose output.
- : Very verbose output.
- : Use specified interface.
- : Use specified interface.
Ok, here are some quick and functional scan examples that you can start with and then tweak to your taste and requirements.
We’re assuming here that you want to scan quickly.
Scan a Network for Web Ports
$ masscan 10.11.0.0/16 -p80,443,8080––rate 1000000
Scan a Network for the Top 10 Ports
$ masscan 10.11.0.0/16 ‐‐top-ten––rate 1000000
Scan a Network for All Ports
$ masscan 10.11.0.0/16 -p0-65535––rate 1000000
Scan The Internet for A Port
We’ve increased the speed to 10 million per second, which will max you out.
$ masscan 0.0.0.0/0 -p443––rate 10000000
Scan The Internet for All Ports
In general you should expect bad and/or amazing things to happen if you try this.
$ masscan 0.0.0.0/0 -p0-65535––rate 10000000
There are other options available that you can get from following the for the source code repository, but this primer should get you up and running nicely.
Happy (speed) scanning!
- There are number of defaults that are enabled with masscan that need to be defined with nmap simply because the scanners work in different ways. For example, masscan always treats all hosts as online, scans are always randomized, it’s a SYN-based scan, it never does DNS resolution, and scans are performed using raw .
- One thing that’s fairly unique to masscan is that you can easily pause and resume scans. When you press a file is created called that has all the settings and progress from the scan. You can resume that scan with .
- The project readme.
Written By Daniel Miessler
Daniel Miessler is a cybersecurity leader, writer, and founder of Unsupervised Learning. He's been writing content on security, technology, and society since 1999, and has been featured in the New York Times, Wall Street Journal, the BBC, and many other publications.
You will also be interested:
- 1985 bonneville for sale
- 20 bomb apex
- Slope and hatch
- Mens jade signet ring
- Sims 2 starter homes
- Weather for feb 25
- 26 extension ladder
- Percy jackson romance fanfiction
- Spongebob aesthetic wallpaper
MASSCAN: Mass IP port scanner
This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.
Its usage (parameters, output) is similar to , the most famous port scanner. When in doubt, try one of those features -- features that support widespread scanning of many machines are supported, while in-depth scanning of single machines aren't.
Internally, it uses asynchronous transmission, similar to port scanners like , , and . It's more flexible, allowing arbitrary port and address ranges.
NOTE: masscan uses its own ad hoc TCP/IP stack. Anything other than simple port scans may cause conflict with the local TCP/IP stack. This means you need to use either the option to run from a different IP address, or use to configure which source ports masscan uses, then also configure the internal firewall (like or ) to firewall those ports from the rest of the operating system.
This tool is free, but consider contributing money to its development: Bitcoin wallet address: 1MASSCANaHUiyTtR3bJ2sLGuMw5kDBaj4T
On Debian/Ubuntu, it goes something like the following. It doesn't really have any dependencies other than a C compiler (such as or ).
This puts the program in the subdirectory. To install it (on Linux) run:
The source consists of a lot of small files, so building goes a lot faster by using the multi-threaded build. This requires more than 2gigs on a Raspberry Pi (and breaks), so you might use a smaller number, like rather than all possible threads.
While Linux is the primary target platform, the code runs well on many other systems (Windows, macOS, etc.). Here's some additional build info:
- Windows w/ Visual Studio: use the VS10 project
- Windows w/ MinGW: just type
- Windows w/ cygwin: won't work
- Mac OS X /w XCode: use the XCode4 project
- Mac OS X /w cmdline: just type
- FreeBSD: type
- other: try just compiling all the files together,
On macOS, the x86 binaries seem to work just as fast under ARM emulation.
Usage is similar to . To scan a network segment for some ports:
- scan the subnet, and subnets
- scans port 80 and the range 8000 to 8100, or 102 ports total, on both subnets
- print output to that can be redirected to a file
To see the complete list of options, use the feature. This dumps the current configuration and exits. This output can be used as input back into the program:
Masscan can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple "banner" information.
Masscan supports banner checking on the following protocols:
The problem with this is that masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner.
The easiest way to prevent this is to assign masscan a separate IP address. This would look like one of the following examples:
The address you choose has to be on the local subnet and not otherwise be used by another system. Masscan will warn you that you've made a mistake, but you might've messed up the other machine's communications for several minutes, so be careful.
In some cases, such as WiFi, this isn't possible. In those cases, you can firewall the port that masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan still sees it since it bypasses the local stack. For Linux, this would look like:
You probably want to pick ports that don't conflict with ports Linux might otherwise choose for source-ports. You can see the range Linux uses, and reconfigure that range, by looking in the file:
On the latest version of Kali Linux (2018-August), that range is 32768 to 60999, so you should choose ports either below 32768 or 61000 and above.
Setting an rule only lasts until the next reboot. You need to lookup how to save the configuration depending upon your distro, such as using and/or .
On Mac OS X and BSD, there are similar steps. To find out the ranges to avoid, use a command like the following:
On FreeBSD and older MacOS, use an command:
On newer MacOS and OpenBSD, use the packet-filter utility. Edit the file to add a line like the following:
Then to enable the firewall, run the command:
If the firewall is already running, then either reboot or reload the rules with the following command:
Windows doesn't respond with RST packets, so neither of these techniques are necessary. However, masscan is still designed to work best using its own IP address, so you should run that way when possible, even when it is not strictly necessary.
The same thing is needed for other checks, such as the check, which is just a form of banner checking.
How to scan the entire Internet
While useful for smaller, internal networks, the program is really designed with the entire Internet in mind. It might look something like this:
Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges. To blacklist or exclude ranges, you want to use the following syntax:
This just prints the results to the command-line. You probably want them saved to a file instead. Therefore, you want something like:
This saves the results in an XML file, allowing you to easily dump the results in a database or something.
But, this only goes at the default rate of 100 packets/second, which will take forever to scan the Internet. You need to speed it up as so:
This increases the rate to 100,000 packets/second, which will scan the entire Internet (minus excludes) in about 10 hours per port (or 655,360 hours if scanning all ports).
The thing to notice about this command-line is that these are all compatible options. In addition, "invisible" options compatible with are also set for you: . Likewise, the format of the XML file is inspired by . There are, of course, a lot of differences, because the asynchronous nature of the program leads to a fundamentally different approach to the problem.
The above command-line is a bit cumbersome. Instead of putting everything on the command-line, it can be stored in a file instead. The above settings would look like this:
To use this configuration file, use the :
This also makes things easier when you repeat a scan.
By default, masscan first loads the configuration file . Any later configuration parameters override what's in this default configuration file. That's where I put my "excludefile" parameter so that I don't ever forget it. It just works automatically.
By default, masscan produces fairly large text files, but it's easy to convert them into any other format. There are five supported output formats:
xml: Just use the parameter . Or, use the parameters and .
binary: This is the masscan builtin format. It produces much smaller files so that when I scan the Internet my disk doesn't fill up. They need to be parsed, though. The command-line option will read binary scan files. Using with the option will produce an XML version of the results file.
grepable: This is an implementation of the Nmap -oG output that can be easily parsed by command-line tools. Just use the parameter . Or, use the parameters and .
json: This saves the results in JSON format. Just use the parameter . Or, use the parameters and .
list: This is a simple list with one host and port pair per line. Just use the parameter . Or, use the parameters and . The format is:
Comparison with Nmap
Where reasonable, every effort has been taken to make the program familiar to users, even though it's fundamentally different. Masscan is tuned for wide range scanning of a lot of machines, whereas nmap is designed for intensive scanning of a single machine or a small range.
Two important differences are:
- no default ports to scan, you must specify
- target hosts are IP addresses or simple ranges, not DNS names, nor the funky subnet ranges can use (like ).
You can think of as having the following settings permanently enabled:
- : this does SYN scan only (currently, will change in the future)
- : doesn't ping hosts first, which is fundamental to the async operation
- : no DNS resolution happens
- : scan completely randomized, always, you can't change this
- : sends using raw
If you want a list of additional compatible settings, use the following command:
Transmit rate (IMPORTANT!!)
This program spews out packets very fast. On Windows, or from VMs, it can do 300,000 packets/second. On Linux (no virtualization) it'll do 1.6 million packets-per-second. That's fast enough to melt most networks.
Note that it'll only melt your own network. It randomizes the target IP addresses so that it shouldn't overwhelm any distant network.
By default, the rate is set to 100 packets/second. To increase the rate to a million use something like .
When scanning the IPv4 Internet, you'll be scanning lots of subnets, so even though there's a high rate of packets going out, each target subnet will receive a small rate of incoming packets.
However, with IPv6 scanning, you'll tend to focus on a single target subnet with billions of addresses. Thus, your default behavior will overwhelm the target network. Networks often crash under the load that masscan can generate.
This section describes the major design issues of the program.
The file contains the function, as you'd expect. It also contains the and functions. These functions have been deliberately flattened and heavily commented so that you can read the design of the program simply by stepping line-by-line through each of these.
This is an asynchronous design. In other words, it is to what the web-server is to . It has separate transmit and receive threads that are largely independent from each other. It's the same sort of design found in , , and .
Because it's asynchronous, it runs as fast as the underlying packet transmit allows.
A key difference between Masscan and other scanners is the way it randomizes targets.
The fundamental principle is to have a single index variable that starts at zero and is incremented by one for every probe. In C code, this is expressed as:
We have to translate the index into an IP address. Let's say that you want to scan all "private" IP addresses. That would be the table of ranges like:
In this example, the first 64k indexes are appended to 192.168.x.x to form the target address. Then, the next 16-million are appended to 10.x.x.x. The remaining indexes in the range are applied to 172.16.x.x.
In this example, we only have three ranges. When scanning the entire Internet, we have in practice more than 100 ranges. That's because you have to blacklist or exclude a lot of sub-ranges. This chops up the desired range into hundreds of smaller ranges.
This leads to one of the slowest parts of the code. We transmit 10 million packets per second and have to convert an index variable to an IP address for each and every probe. We solve this by doing a "binary search" in a small amount of memory. At this packet rate, cache efficiencies start to dominate over algorithm efficiencies. There are a lot of more efficient techniques in theory, but they all require so much memory as to be slower in practice.
We call the function that translates from an index into an IP address the function. In use, it looks like:
Masscan supports not only IP address ranges, but also port ranges. This means we need to pick from the index variable both an IP address and a port. This is fairly straightforward:
This leads to another expensive part of the code. The division/modulus instructions are around 90 clock cycles, or 30 nanoseconds, on x86 CPUs. When transmitting at a rate of 10 million packets/second, we have only 100 nanoseconds per packet. I see no way to optimize this any better. Luckily, though, two such operations can be executed simultaneously, so doing two of these, as shown above, is no more expensive than doing one.
There are actually some easy optimizations for the above performance problems, but they all rely upon , the fact that the index variable increases one by one through the scan. Actually, we need to randomize this variable. We need to randomize the order of IP addresses that we scan or we'll blast the heck out of target networks that aren't built for this level of speed. We need to spread our traffic evenly over the target.
The way we randomize is simply by encrypting the index variable. By definition, encryption is random and creates a 1-to-1 mapping between the original index variable and the output. This means that while we linearly go through the range, the output IP addresses are completely random. In code, this looks like:
This also has a major cost. Since the range is an unpredictable size instead of a nice even power of 2, we can't use cheap binary techniques like AND (&) and XOR (^). Instead, we have to use expensive operations like MODULUS (%). In my current benchmarks, it's taking 40 nanoseconds to encrypt the variable.
This architecture allows for lots of cool features. For example, it supports "shards". You can set up 5 machines each doing a fifth of the scan or . Shards can be multiple machines, or simply multiple network adapters on the same machine, or even (if you want) multiple IP source addresses on the same network adapter.
Or, you can use a 'seed' or 'key' to the encryption function, so that you get a different order each time you scan, like .
We can also pause the scan by exiting out of the program, and simply remembering the current value of , and restart it later. I do that a lot during development. I see something going wrong with my Internet scan, so I hit to stop the scan, then restart it after I've fixed the bug.
Another feature is retransmits/retries. Packets sometimes get dropped on the Internet, so you can send two packets back-to-back. However, something that drops one packet may drop the immediately following packet. Therefore, you want to send the copy about 1 second apart. This is simple. We already have a 'rate' variable, which is the number of packets-per-second rate we are transmitting at, so the retransmit function is simply to use as the index. One of these days I'm going to do a study of the Internet, and differentiate "back-to-back", "1 second", "10 second", and "1 minute" retransmits this way in order to see if there is any difference in what gets dropped.
The asynchronous technique is known as a solution to the "c10k problem". Masscan is designed for the next level of scalability, the "C10M problem".
The C10M solution is to bypass the kernel. There are three primary kernel bypasses in Masscan:
- custom network driver
- user-mode TCP stack
- user-mode synchronization
Masscan can use the PF_RING DNA driver. This driver DMAs packets directly from user-mode memory to the network driver with zero kernel involvement. That allows software, even with a slow CPU, to transmit packets at the maximum rate the hardware allows. If you put 8 10-gbps network cards in a computer, this means it could transmit at 100-million packets/second.
Masscan has its own built-in TCP stack for grabbing banners from TCP connections. This means it can easily support 10 million concurrent TCP connections, assuming of course that the computer has enough memory.
Masscan has no "mutex". Modern mutexes (aka. futexes) are mostly user-mode, but they have two problems. The first problem is that they cause cache-lines to bounce quickly back-and-forth between CPUs. The second is that when there is contention, they'll do a system call into the kernel, which kills performance. A mutex on the fast path of a program severely limits scalability. Instead, Masscan uses "rings" to synchronize things, such as when the user-mode TCP stack in the receive thread needs to transmit a packet without interfering with the transmit thread.
The code runs well on Linux, Windows, and Mac OS X. All the important bits are in standard C (C90). Therefore, it compiles on Visual Studio with Microsoft's compiler, the Clang/LLVM compiler on Mac OS X, and GCC on Linux.
Windows and Macs aren't tuned for packet transmit, and get only about 300,000 packets-per-second, whereas Linux can do 1,500,000 packets/second. That's probably faster than you want anyway.
A bounty is offered for vulnerabilities, see the VULNINFO.md file for more information.
This project uses safe functions like instead of unsafe functions like .
This project has automated unit regression tests ().
A lot of effort has gone into making the input/output look like , which everyone who does port scans is (or should be) familiar with.
IPv6 and IPv4 coexistence
Masscan supports IPv6, but there is no special mode, both are supported at the same time. (There is no option -- it's always available).
In any example you see of masscan usage, simply put an IPv6 address where you see an IPv4 address. You can include IPv4 and IPv6 addresses simultaneously in the same scan. Output includes the appropriate address at the same location, with no special marking.
Just remember that IPv6 address space is really big. You probably don't want to scan for big ranges, except maybe the first 64k addresses of a subnet that were assigned via DHCPv6.
Instead, you'll probably want to scan large lists of addresses stored in a file () that you got from other sources. Like everywhere else, this file can contain lists of both IPv4 and IPv6 addresses. The test file I use contains 8 million addresses. Files of that size need a couple extra seconds to be read on startup (masscan sorts the addresses and removes duplicates before scanning).
Remember that masscan contains its own network stack. Thus, the local machine you run masscan from does not need to be IPv6 enabled -- though the local network needs to be able to route IPv6 packets.
To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as "PF_RING ZC" from ntop. Masscan doesn't need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:
- (installed in /usr/lib/libpfring.so)
- (their kernel driver)
- (their version of the Intel 10-gbps Ethernet driver)
You don't need to build their version of .
When Masscan detects that an adapter is named something like instead of something like , it'll automatically switch to PF_RING ZC mode.
A more detail discussion can be found in PoC||GTFO 0x15.
The project contains a built-in unit test:
This tests a lot of tricky bits of the code. You should do this after building.
To test performance, run something like the following to a throw-away address, to avoid overloading your local router:
The bogus keeps packets on the local network segments so that they won't go out to the Internet.
You can also test in "offline" mode, which is how fast the program runs without the transmit overhead:
This second benchmark shows roughly how fast the program would run if it were using PF_RING, which has near zero overhead.
By the way, the randomization algorithm makes heavy use of "integer arithmetic", a chronically slow operation on CPUs. Modern CPUs have doubled the speed at which they perform this calculation, making much faster.
This tool created by Robert Graham: email: [email protected] twitter: @ErrataRob