masscan: scan the internet in 5 minutes!

p2p_network_compA very common utility to scan open ports in a network is nmap. However, it uses synchronous SYN packets for data transmission and performs slowly. What if you want to scan a network with thousands of devices? masscan is a utility to scan the whole internet in less than 5 minutes!

masscan transmits 10 million packets per second using asynchronous transmission. It is the fastest port scanning tool at the time of writing. The syntax follows that of nmap (for port scanning closely) and allows arbitrary port and address ranges. masscan can be used for port scanning only because it comes bundled with its own TCP/IP stack.

A nice explanation from Rhomboid on Reddit on how masscan works for the layman:

“A SYN packet (the first packet of the three-way handshake used to establish a TCP connection) is only 52 bytes (66 with the Ethernet header), so with a decent connection you can spew them out at a very high rate. You can do the math yourself, but at 10 Gigabits / sec, and 232 addresses to cover, and 66 bytes per connection attempt, you arrive at something approaching 5 minutes.

However, this does require bypassing the operating system’s networking stack and using raw sockets, as otherwise the amount of data the operating system would spend actually tracking the state of all those connections would kill you. The key is that you’re not actually establishing any connections, so you don’t care about any of that. You just want to see if something responds or not. So this is very much not the same as calling the standard BSD socket connect() call four billion times. In fact the sending side and the receiving side don’t even really need to coordinate. The sending side blasts out SYNs as fast as possible and the receiving side just makes a note of any addresses that reply.”

Installation

You can compile and install masscan on Ubuntu. Run the following commands:

$ sudo apt-get install libpcap-dev
$ git clone https://github.com/robertdavidgraham/masscan
$ cd masscan
$ make //OR make -j

You must run a self-test to make sure everything works fine. Run:

$ make regress
$ bin/masscan --regress
selftest: success!

NOTE: To use masscan effectively with more than 2 million packets per second, you need the PF_RING DNA kernel driver from ntop and an Intel 10-gbps Ethernet adapter. You need to build the following files: libpfring.so, pf_ring.ko, ixgbe.ko. You might also find pre-compiled packages for your distribution here. When masscan finds an adapter like dna0 it will switch to the PF_RING mode automatically.

Usage

See complete list of options:

$ bin/masscan --echo

For help and explanation, run:

$ bin/masscan --help

To test a performance test on local network run:

$ sudo bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11

To test in offline mode without actual transmission:

$ sudo bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline

To scan the 10.x.x.x subnet (mask 255.0.0.0), port 80 and 8000-8100 range, run:

$ sudo bin/masscan -p80,8000-8100 10.0.0.0/8

To scan the internet (bad idea because your IP may be blacklisted):

$ sudo masscan 0.0.0.0/0 -p0-65535

If you want to exclude some IPs and export the list to a file, run:

$ sudo masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt -oX scan.xml

To increase the rate to 100,000 packets per sec, try:

$ sudo masscan 0.0.0.0/0 -p0-65535 --max-rate 100000

NOTE: On Windows (or from VMs) masscan can send up to 300,000 packets/second. On Linux without virtualization it can send up to 1.6 million packets-per-second.

You can put all these gory details in a configuration file and use it as input to masscan:

$ cat myscan.conf
# My Scan
rate = 100000.00
output-format = xml
output-status = all
output-filename = scan.xml
ports = 0-65535
range = 0.0.0.0-255.255.255.255
excludefile = exclude.txt
$ sudo masscan -c myscan.conf

On GitHub: masscan

Similar software

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s