masscan

Scan an IP or network subnet for port 80

$ masscan [ip_address|network_prefix] [[-p|--ports]] [80]

$ masscan [10.0.0.0/16] --top-ports [100] --rate [100000]

$ masscan [10.0.0.0/16] --top-ports [100] --excludefile [path/to/file]

$ masscan [10.0.0.0/16] [[-p|--ports]] [22,80] --banners --rate [100000]

$ masscan [0.0.0.0/0] [[-p|--ports]] [80,443] --rate [10000000]

$ masscan [0.0.0.0/0] [[-p|--ports]] [U:53] --rate [10000000]

$ masscan [0.0.0.0/0] [[-p|--ports]] [0-65535] --output-format [binary|grepable|json|list|xml] --output-filename [path/to/file]

$ masscan --readscan [path/to/file]

masscan [options]
masscan -p []

-p
    Specifies the target ports to scan. Can be a single port (e.g., 80), a range (e.g., 20-25), or a list (e.g., 80,443,8080). Multiple ranges/ports can be comma-separated.

--rate
    Sets the desired transmission rate of packets, in packets per second. Higher rates scan faster but consume more bandwidth and CPU. Use '0' for unlimited speed.

--banners
    Attempts to grab banners/application responses from open ports. This slows down the scan slightly but provides valuable service information.

-iL
    Reads target IP address ranges from the specified file. Each line in the file can contain an IP, a CIDR range, or a hyphenated range.

--excludefile
    Reads IP address ranges from the specified file to exclude from the scan. Useful for avoiding critical systems or non-public ranges.

-oX
    Outputs the scan results in XML format to the specified file. Compatible with Nmap's XML output.

-oJ
    Outputs the scan results in JSON format to the specified file.

-oG
    Outputs the scan results in Greppable format to the specified file, similar to Nmap's greppable output.

--open-only
    Only displays results for open ports, suppressing output for closed or filtered ports.

--ping
    Pings the targets before scanning. This can help identify live hosts but may slow down the scan on very large ranges.

--source-ip
    Sets the source IP address for outgoing packets. Useful for specifying a particular network interface or for spoofing.

--source-port
    Sets the source port for outgoing packets. Can be a single port or a range.

masscan is an Internet-scale port scanner, designed to scan the entire Internet in under 6 minutes. It can discover open ports on a massive number of IP addresses much faster than traditional scanners like Nmap by using a custom, asynchronous TCP/IP stack. It sends packets asynchronously, similar to how zmap operates, but it also has a full TCP connect scanner, allowing for banner grabbing. This makes masscan ideal for large-scale security research, vulnerability assessment of large networks, or identifying services exposed on the public internet. Its high-speed nature means it can generate significant network traffic, requiring careful use to avoid network saturation or detection.

Due to its high speed, masscan can generate an enormous amount of network traffic and may be disruptive if used irresponsibly. It can trigger Intrusion Detection Systems (IDS) and firewalls, potentially leading to IP blocking. Users should ensure they have proper authorization before scanning any network, especially external public ranges. Running masscan at very high rates might require kernel tuning for increased socket buffer sizes or a high-performance network interface card.

The ability of masscan to scan vast swathes of the Internet so rapidly brings significant ethical considerations. Unauthorized scanning can be illegal and viewed as a hostile act. It is crucial to only scan networks for which you have explicit permission. For broad research purposes, consider using it with a low rate and focus on non-sensitive ports, or direct efforts towards known open research datasets.

masscan can consume significant network bandwidth and CPU resources, especially at high rates. It is recommended to run it on machines with good network connectivity and sufficient processing power. At rates exceeding millions of packets per second, network hardware and operating system limits may become bottlenecks, requiring advanced tuning or specialized hardware.

masscan was developed by Robert Graham (aka 'fyodor'), the creator of Nmap, and first released in 2013. Graham designed masscan to address the need for extremely fast, Internet-scale scanning, moving beyond the capabilities of traditional scanners for such large datasets. His primary goal was to create a tool capable of scanning the entire public IPv4 address space for a single port in just a few minutes, a feat previously impractical. Its development focused on a custom, stateless TCP/IP stack to achieve this unprecedented speed.

nmap(1), zmap(1), netcat(1)