LinuxCommandLibrary

masscan

Scan IP addresses for open TCP ports

TLDR

Scan an IP or network subnet for port 80

$ masscan [ip_address|network_prefix] [[-p|--ports]] [80]
copy

Scan a class B subnet for the top 100 ports at 100,000 packets per second
$ masscan [10.0.0.0/16] --top-ports [100] --rate [100000]
copy

Scan a class B subnet avoiding ranges from a specific exclude file
$ masscan [10.0.0.0/16] --top-ports [100] --excludefile [path/to/file]
copy

Scan a class B subnet with Nmap-like version detection (banner grabbing)
$ masscan [10.0.0.0/16] [[-p|--ports]] [22,80] --banners --rate [100000]
copy

Scan the Internet for web servers running on port 80 and 443
$ masscan [0.0.0.0/0] [[-p|--ports]] [80,443] --rate [10000000]
copy

Scan the Internet for DNS servers running on UDP port 53
$ masscan [0.0.0.0/0] [[-p|--ports]] [U:53] --rate [10000000]
copy

Scan the Internet for a specific port range and export to a file
$ masscan [0.0.0.0/0] [[-p|--ports]] [0-65535] --output-format [binary|grepable|json|list|xml] --output-filename [path/to/file]
copy

Read binary scan results from a file and output to stdout
$ masscan --readscan [path/to/file]
copy

SYNOPSIS

masscan [options] target range

PARAMETERS

--range
    Specifies the target IP address range to scan. Can be a single IP, a CIDR network, or a range of IP addresses (e.g., 10.0.0.0/24, 192.168.1.1-192.168.1.254).

-p
    Specifies the target ports to scan. Can be a single port, a range of ports, or a comma-separated list (e.g., -p22, -p80,443, -p1-1000).

--rate
    Sets the packet transmission rate in packets per second. This is a crucial parameter for controlling scan speed.

--banners
    Enables banner grabbing for detected open ports. Masscan attempts to retrieve service banners to identify the running software.

-oX
    Outputs the scan results in XML format to the specified file.

-oG
    Outputs the scan results in grepable format to the specified file.

--excludefile
    Excludes IP addresses listed in the specified file from the scan.

--source-ip
    Specifies the source IP address to use for the scan.

--source-port
    Specifies the source port to use for the scan.

--wait
    Specifies the maximum amount of time to wait for SYN-ACK responses.

--open
    Only shows open ports in the output.

--http-user-agent
    Sets a custom HTTP user-agent string for HTTP banner grabbing.

DESCRIPTION

Masscan is an extremely fast TCP port scanner. While most port scanners are designed for comprehensive and accurate scanning of a single system, masscan is built to scan the entire internet (or large networks) at high speed. It uses asynchronous transmission and receives packets directly, bypassing the operating system's usual TCP/IP stack overhead. This allows it to send millions of packets per second, making it significantly faster than traditional port scanners like Nmap for large-scale scans.
It primarily focuses on detecting open TCP ports, and can optionally grab banners to identify services running on those ports. Masscan outputs data in various formats, making it suitable for tasks like vulnerability scanning, network discovery, and security research where speed is paramount. However, due to its aggressive nature, masscan should be used responsibly and with permission on networks you control.

CAVEATS

Due to its aggressive scanning behavior, masscan can be easily detected and may trigger intrusion detection systems (IDS) or intrusion prevention systems (IPS). It's also important to ensure you have permission to scan the target network or IP addresses. Scanning without permission is illegal and unethical. Be mindful of the network you are scanning and adjust the rate to avoid causing disruption.

FIREWALL CONSIDERATIONS

Firewalls may block or rate-limit traffic from masscan due to its high packet rate. Consider adjusting the scan rate (--rate) and using techniques like IP address spoofing (--source-ip) to evade simple firewall rules. However, be aware that IP address spoofing can make it more difficult to analyze the scan results and may be considered malicious.

OUTPUT INTERPRETATION

Masscan's output indicates which ports are open on the target systems. Analyzing the banner information can help identify the services running on those ports and potential vulnerabilities associated with those services.

SYN COOKIES

Masscan is affected by SYN cookies. Therefore, it does not properly detect services behind firewalls that use SYN cookies as an anti-spoofing defense. SYN cookies are a defense against SYN flood denial-of-service attacks.

HISTORY

Masscan was developed by Robert Graham to address the limitations of existing port scanners when dealing with large-scale scans. Its primary goal was to achieve extremely high scanning speeds while maintaining reasonable accuracy. It gained popularity among security researchers and network administrators for its ability to quickly identify open ports across large networks.

SEE ALSO

nmap(1), netcat(1)

Copied to clipboard