If you are familiar with Nmap, the learning curve for Masscan would not be a challenge. Though Masscan produces like Nmap, it operates more like Zmap, Unicornscan, using asynchronous transmission. Apart from being faster than other scanners, it is more flexible, allowing arbitrary address ranges and port ranges, a feature, still lacked by many. Masscan’s repository can be found at https://github.com/robertdavidgraham/masscan. It is available for Windows, Linux, and MacOS.
For MacOS
Use the XCode4 project Use the command line and type ‘make.’
For Debian/Ubuntu:
$ sudo apt-get install gcc git libpcap-dev $ git clone https://github.com/robertdavidgraham/masscan $ cd masscan $ make This puts the program in the masscan/bin subdirectory. The source consists of a lot of small files, so building goes a lot faster by using the multithread build: $ make –j For FreeBSD type ‘gmake‘
For windows
Use the VS10 project Use MinGW and type ‘make‘
Note: Cygwin will not work in this case.
Regression testing
Once installed, you can test it by using the test model built in it by : $make regress. This is what a successful test give the output. Simple and short.
Performance testing
Once we have installed and done the regression test, we can test its performance. It can be done with the following command: $ sudo bin/masscan 0.0.0.0/4 -p80 –rate 100000000 –router-mac 66-55-44-33-22-11 The fake –route-mac keeps the packets on the local network. If you would like to do the testing in an offline environment, that too can be done with the following command: $ bin/masscan 0.0.0.0/4 -p80 –rate 100000000 –offline Usage To see the syntax, we can simply run: $ bin/masscan Suppose we run the following command: $ bin/masscan –p80,8000-8100 10.0.0.0/8 This will perform the following
Scan the subnet 10.x.x.x, all 16 million addresses
It will scan port 80 and the range 8000 to 8100
To save the result in an output file: $ bin/masscan –p80,8000-8100 10.0.0.0/8 –echo > output.conf
Saving the output
There are five ways you can do that:
XML: It results is producing quite large files. However, it is easier to import into anything. ‘-oX
Binary: It is the default format. It produces much smaller files, although, they need to be parsed. The option ‘–readscan‘ will read binary scan files. Using ‘–readscan‘ with ‘-oX‘ option will produce XML version on the result file.
Greapable: It is similar to Nmap ‘-oG‘ output and can be easily parsed using the command-line tools.
Json: It saves the output in a json format. ‘-oJ
List: It is a simple list with one host and one port per line. ‘-oL
Scanning a simple windows machine
The setup here is pretty simple. I have a windows machine running on a VMware. Let us scan and see which all ports are open: $ sudo bin/masscan -p0-65535 172.16.92.130 –max-rate 100000 Note: The default rate of transmitting packets is 100 packets/second. If you wish to increase that, you can do so by using ‘–max-rate 100000’.
Banner grabbing
Another feature of Masscan is that apart from detecting open/close ports, it can also grab simple “banner” information. The constraint it faces is that Masscan has its own TCP/IP stack. When the local system received a SYN-ACK from the probed target, it responds with a TST packet that kills the connection before the banner information can be grabbed. The easiest way to prevent this is to assign Masscan with a different IP address: $ sudo bin/masscan 10.0.0.0/8 -p80 –banners –source-ip 192.168.1.100 With WIFI, this is not possible. In such cases, it is better to add a firewall on the port Masscan uses. In Linux, it would look something like: $ iptables -A INPUT -p tcp –dport 60000 -j DROP $ sudo bin/masscan 10.0.0.0/8 -p80 –banners –source-port 60000 On MacOS and BSD: $ sudo ipfw add 1 deny tcp from any to any 60000 in $ sudo bin/masscan 10.0.0.8/8 -p80 –banners –source-port 60000 Since Windows does not respond with RST packets, neither of the techniques mentioned above are required. However, it is still recommended that a separate IP address is assigned to Masscan.
PF_RING
On an average Windows machine, or through any VM, Masscan can spit out 300,000 packets/second. On a Linux (no virtualization) it can do 1.6 million packets/seconds. Though this is enough to melt most networks, due to the randomization property of Masscan, it will melt only our network. To get beyond 2 million packets/second, Intel’s 10-gbps Ethernet adapter and a driver known as ‘PF_RING DNA’ is required. The driver can be downloaded from http://www.ntop.org/products/packet-capture/pf_ring/. Note: Masscan does not need to be re-built when using this at a later stage, nor you need to build their version of ‘libpcap.so.’
Scanning the internet
There’s a big difference between scanning an internal network and the internet. However, Masscan was created with keeping that in mind: $ sudo bin/masscan 0.0.0.0/0 -p0-65535 Scanning the internet can be a really bad idea as a lot of it does not respond well to being scanned. Some sites may also add you to their ban list. To exclude such site, you can use the following command: $ sudo bin/masscan 0.0.0.0/0 -p0-65535 –excludedfile exclude.txt You can use any of the formats mentioned above to save the result. Masscan also gives us the ability save a configuration file and use it again and again for repeated scans. You can create a file as:
Test Scan
rate = 100000.00 output-format = xml output-status = all output-filename = scan.xml ports = 0-65535 range = 0.0.0.0-255.255.255.255 excludefile = exclude.txt To use this configuration, you can use the following command: $ sudo bin/masscan -c testscan.conf
Comparing with Nmap
The major difference between Masscan and Nmap is:
You need always to specify ports
The target hosts should always be IP addresses or simple ranges. They cannot be DNS names, nor the subnet ranges Nmap takes such as 10.0.0-255.0-255
It does, however, has the following features permanently enabled:
–send-eth: Sends using raw libpcap
-n: No DNS resolution happens
-Pn: Doesn’t ping hosts first, which is fundamental to the async operation
-sS: Does SYN scan only
–randomize-hosts: Scans complete randomly
To get an additional list of Nmap compatible settings, the following command can be used: $ sudo bin/masscan –nmap
Masscan web-UI
Offensive Security released a Web-UI for Masscan sometime back. It can be found at https://github.com/offensive-security/masscan-web-ui The installation and usage instructions are pretty straight forward and can be found at the link mentioned above.
Conclusion
Without a doubt, it is faster than many of the port scanners that is out there. A downside is that its performance varies depending on the operating system it is being used on, Linux, being the one which gives the best performance.