Masscan – TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

MASSCAN

This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

It produces results similar to nmap, the most famous port scanner. Internally, it operates more likescanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it’s faster than these other scanners. In addition, it’s more flexible, allowing arbitrary address ranges and port ranges.

Transmit rate (IMPORTANT!!)

This program spews out packets very fast. On Windows, or from VMs, it can do 300,000 packets/second. On a Linux (no virtualization) it’ll do 1.6 million packets-per-second. That’s fast enough to melt most networks. Note that it’ll only melt your own network. It randomizes the target IP addresses so that it shouldn’t overwhelm any distant network.

By default, the rate is set to 100 packets/second. To increase the rate to a million use something like--rate 1000000.

Building

On Debian/Ubuntu, it goes something like this:

$ git clone https://github.com/robertdavidgraham/masscan
$ cd masscan
$ sudo apt-get install libpcap-dev
$ make

This puts the program in the masscan/bin subdirectory. You’ll have to manually copy it to something like /usr/local/bin if you want to install it elsewhere on the system.

While Linux is the primary target platform, the code runs well on many other systems. Here’s some additional build info:

• Windows w/ Visual Studio: use the VS10 project
• Windows w/ MingGW: just type make
• Windows w/ cygwin: won’t work
• Mac OS X /w XCode: use the XCode4 project
• Mac OS X /w cmdline: just type make
• FreeBSD: type gmake
• other: I don’t know, don’t care

PF_RING

To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as “PF_RING DNA” from http://www.netop.org. Masscan doesn’t need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:

• libpfring.so (installed in /usr/lib/libpfring.so)
• pf_ring.ko (their kernel driver)
• ixgbe.ko (their version of the Intel 10-gbps Ethernet driver)

You don’t need to build their version of libpcap.so.

When Masscan detects that an adapter is named something like dna0 instead of something likeeth0, it’ll automatically switch to PF_RING mode.

 Usage

Usage is similar to nmap. To scan a network segment for some ports:

# masscan -p80,8000-8100 10.0.0.0/8

This will:

• scan the 10.x.x.x subnet, all 16 million addresses
• scans port 80 and the range 8000 to 8100, or 102 addresses total
• print output to that can be redirected to a file

To see the complete list of options, use the --echo feature. This dumps the current configuration and exits. This ouput can be used as input back into the program:

# masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf
# masscan -c xxx.conf --rate 1000

Comparison with Nmap

Where reasonable, every effort has been taken to make the program familiar to nmap users, even though it’s fundamentally different. Two important differences are:

• no default ports to scan, you must specify -p <ports>
• target hosts are IP addresses or simple ranges, not DNS names, nor the funky subnet rangesnmap can use (like 10.0.0-255.0-255).

You can think of masscan as having the following settings permanently enabled:

• -sS: this does SYN scan only (currently, will change in future)
• -Pn: doesn’t ping hosts first, which is fundamental to the async operation
• -n: no DNS resolution happens
• --randomize-hosts: scan completely randomized
• --send-eth: sends using raw libpcap

If you want a list of additional nmap compatible settings, use the following command:

# masscan --nmap

How to scan the entire Internet

While useful for smaller, internal networks, the program is designed really with the entire Internet in mind. It might look something like this:

# masscan 0.0.0.0/0 -p0-65535

Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exlude a lot of ranges. To blacklist or exclude ranges, you want to use the following syntax:

# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt

This just prints the results to the command-line. You probably want them saved to a file instead. Therefore, you want something like:

# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml

This saves the results in an XML file, allowing you to easily dump the results in a database or something.

But, this only goes at the default rate of 100 packets/second, which will take forever to scan the Internet. You need to speed it up as so:

# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000

This increases the rate to 100,000 packets/second, which will scan the entire Internet (minus excludes) in about 10 hours per port (or 655,360 hours if scanning all ports).

The thing to notice about this command-line is that these are all nmap compatible options. In addition, “invisible” options compatible with nmap are also set for you: -sS -Pn -n --randomize-hosts --send-eth. Likewise, the format of the XML file is inspired by nmap. There are, of course, a lot of differences, because the asynchronous nature of the program leads to a fundamentally different approach to the problem.

The above command-line is a bit cumbersome. Instead of putting everything on the command-line, it can be stored in a file instead. The above settings would look like this:

# My Scan
rate =  100000.00
output-format = xml
output-status = all
output-filename = scan.xml
ports = 0-65535
range = 0.0.0.0-255.255.255.255
excludefile = exclude.txt

To use this configuration file, use the -c:

# masscan -c myscan.conf

This also makes things easier when you repeat a scan.

By default, masscan first loads the configuration file /etc/masscan/masscan.conf. Any later configuration parameters override what’s in this default configuration file. That’s where I put my “excludefile” parameter, so that I don’t ever forget it. It just works automatically.

More information can be found at: https://github.com/robertdavidgraham/masscan