How to Use the Command 'masscan' (with Examples)
Masscan is a high-speed network scanning tool that is designed to scan large networks and the entire Internet quickly. It boasts a performance far superior to most traditional network scanners, making it ideal for purposes that require rapid responses, such as security assessments, network inventory, and discovering open ports. Leveraging masscan effectively allows users to efficiently and systematically sweep across large address spaces, pinpointing potential entry points or services exposed on a network. Below are several examples showing the versatility and power of masscan in different scenarios.
Use Case 1: Scan an IP or Network Subnet for Port 80
Code:
masscan ip_address|network_prefix --ports 80
Motivation: Scanning for open HTTP ports (port 80) is a common activity when checking for web servers or troubleshooting network issues. Knowing which hosts serve web pages can help network administrators manage resources effectively. In the context of cybersecurity, this information is crucial for identifying misconfigured devices or unauthorized servers exposed on the web.
Explanation:
ip_address|network_prefix
: Specifies the target IP address or subnet to scan. Using a specific IP address will target that machine, while a subnet prefix will target all devices in that network segment.--ports 80
: Indicates that the scan should only look for services running on port 80, which is traditionally the port used by HTTP servers.
Example Output:
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.10
This output shows that there are active HTTP servers at the listed IP addresses.
Use Case 2: Scan a Class B Subnet for the Top 100 Ports at 100,000 Packets per Second
Code:
masscan 10.0.0.0/16 --top-ports 100 --rate 100000
Motivation: Scanning for the top 100 ports in a subnet allows the administrator to quickly identify common services (such as HTTP, SMTP, DNS) that are currently running. The high scan rate of 100,000 packets per second makes it feasible to conduct such a scan rapidly, even over a large address space such as a Class B subnet.
Explanation:
10.0.0.0/16
: The Class B subnet being targeted by the scan, which includes 65,536 possible IP addresses.--top-ports 100
: Specifies that the scan should focus on the top 100 most commonly used ports, providing a broad but efficient overview of the network.--rate 100000
: Sets the rate of scan packets to 100,000 per second, optimizing the scan time.
Example Output:
Discovered open port 22/tcp on 10.0.3.12
Discovered open port 80/tcp on 10.0.15.47
Discovered open port 443/tcp on 10.0.25.8
The output indicates which services are running on the most standard protocols across devices in the subnet.
Use Case 3: Scan a Class B Subnet Avoiding Ranges from a Specific Exclude File
Code:
masscan 10.0.0.0/16 --top-ports 100 --excludefile path/to/file
Motivation: This command is particularly useful when a network administrator or security professional wants to avoid scanning certain IP ranges that may be sensitive or should not be disturbed (e.g., critical servers, partners’ networks). By providing an exclude file, these IPs can be sidestepped, ensuring that scanning operations do not impact these areas.
Explanation:
10.0.0.0/16
: Targets the specified Class B subnet for scanning.--top-ports 100
: Focuses on the top 100 commonly used ports to maximize scanning efficiency.--excludefile path/to/file
: Specifies a file that contains IP addresses or ranges to be excluded from the scan, formatted with one per line.
Example Output:
Discovered open port 443/tcp on 10.0.25.8
The output reflects a scan that excludes predefined ranges, focusing only on unexcluded addresses.
Use Case 4: Scan the Internet for Web Servers Running on Port 80 and 443
Code:
masscan 0.0.0.0/0 --ports 80,443 --rate 10000000
Motivation: Conducting an extensive scan to find web servers across the Internet provides invaluable data for researchers, analysts, and organizations wanting to understand the global distribution of web services. This command targets port 80 and port 443, the ports commonly used for HTTP and HTTPS, respectively.
Explanation:
0.0.0.0/0
: Represents the entire Internet as the target scan scope.--ports 80,443
: Indicate the ports on which HTTP and HTTPS services typically run, i.e., port 80 for HTTP and port 443 for HTTPS.--rate 10000000
: Sets a high packet rate to complete the scan quickly, given the enormous size of the address space of the Internet.
Example Output:
Discovered open port 80/tcp on 198.51.100.36
Discovered open port 443/tcp on 203.0.113.44
This output uncovers active web servers available across the Internet.
Use Case 5: Scan the Internet for DNS Servers Running on UDP Port 53
Code:
masscan 0.0.0.0/0 --ports U:53 --rate 10000000
Motivation: Locating DNS servers across the Internet can help network security professionals understand potential threats, as open or misconfigured DNS servers can be vectors for attacks like DNS amplification. Ensuring DNS servers’ security is critical to maintaining network stability.
Explanation:
0.0.0.0/0
: Suggests scanning the entire Internet.--ports U:53
: Focuses on discovering services running on UDP port 53, the standard port for the Domain Name System (DNS).--rate 10000000
: Enables an expedited scanning process by leveraging a high packet dispatch rate.
Example Output:
Discovered open port 53/udp on 192.0.2.55
The output reports DNS services detected globally.
Use Case 6: Scan the Internet for a Specific Port Range and Export to a File
Code:
masscan 0.0.0.0/0 --ports 0-65535 --output-format binary|grepable|json|list|xml --output-filename path/to/file
Motivation: Sometimes there is a need to scan an expansive range of ports across the seascape of global IPv4 address space, collecting the results for thorough analysis. Exporting the results to a file in a specific format allows for better processing, parsing, and distribution of data with other systems or teams.
Explanation:
0.0.0.0/0
: Scans the entire Internet.--ports 0-65535
: Specifies scanning all possible ports, ensuring no service is missed.--output-format binary|grepable|json|list|xml
: Allows selecting a preferred data export format for compatibility with subsequent data analysis tools.--output-filename path/to/file
: Directs the results to be saved in the specified file, aiding comprehensive and systematic data handling.
Example Output:
Results exported to path/to/file
This outcome signifies the operation’s completion and data’s accessibility via the output file.
Use Case 7: Read Binary Scan Results from a File and Output to stdout
Code:
masscan --readscan path/to/file
Motivation: After conducting a scan, interpreting its saved results is pivotal for actionable insights. This command enables users to read previously recorded scan data, facilitating quick reviews, verifications, and decision-making processes.
Explanation:
--readscan path/to/file
: Instructs masscan to read the scan results contained in the binary file and output the findings to stdout, i.e., the terminal screen or command line interface.
Example Output:
Discovered open port 22/tcp on 203.0.113.55
Discovered open port 80/tcp on 198.51.100.32
This output presents previously collected scan information in a readable format.
Conclusion
Masscan stands out for its incredible speed and efficiency when scanning large networks or even the entire Internet. Through these varied examples, users can appreciate its capabilities in different scenarios, ranging from localized subnet scanning to comprehensive global assessments. Implementing masscan, while ensuring careful compliance with legal and ethical guidelines, can greatly aid in maintaining secure, compliant, and well-managed networks.