This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.
It produces results similar to
nmap , the most famous port scanner. Internally, it operates more like
unicornscan , and
ZMap , using asynchronous transmission. The major difference is that it’s faster than these other scanners. In addition, it’s more flexible, allowing arbitrary address ranges and port ranges.
This program spews out packets very fast. On Windows, or from VMs, it can do 300,000 packets/second. On a Linux (no virtualization) it’ll do 1.6 million packets-per-second. That’s fast enough to melt most networks. Note that it’ll only melt your own network. It randomizes the target IP addresses so that it shouldn’t overwhelm any distant network.
By default, the rate is set to 100 packets/second. To increase the rate to a million use something like
--rate 1000000 .
On Debian/Ubuntu, it goes something like this:
$ git clone https://github.com/robertdavidgraham/masscan $ cd masscan $ sudo apt-get install libpcap-dev $ make
This puts the program in the
masscan/bin subdirectory. You’ll have to manually copy it to something like
/usr/local/bin if you want to install it elsewhere on the system.
While Linux is the primary target platform, the code runs well on many other systems. Here’s some additional build info:
To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as “PF_RING DNA” from http://www.netop.org . Masscan doesn’t need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:
libpfring.so(installed in /usr/lib/libpfring.so)
pf_ring.ko(their kernel driver)
ixgbe.ko(their version of the Intel 10-gbps Ethernet driver)
You don’t need to build their version of
When Masscan detects that an adapter is named something like
dna0 instead of something like
eth0 , it’ll automatically switch to PF_RING mode.
Usage is similar to
nmap . To scan a network segment for some ports:
# masscan -p80,8000-8100 10.0.0.0/8
To see the complete list of options, use the
--echo feature. This dumps the current configuration and exits. This ouput can be used as input back into the program:
# masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf # masscan -c xxx.conf --rate 1000
Where reasonable, every effort has been taken to make the program familiar to
nmap users, even though it’s fundamentally different. Two important differences are:
nmapcan use (like
You can think of
masscan as having the following settings permanently enabled:
-sS: this does SYN scan only (currently, will change in future)
-Pn: doesn’t ping hosts first, which is fundamental to the async operation
-n: no DNS resolution happens
--randomize-hosts: scan completely randomized
--send-eth: sends using raw
If you want a list of additional
nmap compatible settings, use the following command:
# masscan --nmap
While useful for smaller, internal networks, the program is designed really with the entire Internet in mind. It might look something like this:
# masscan 0.0.0.0/0 -p0-65535
Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exlude a lot of ranges. To blacklist or exclude ranges, you want to use the following syntax:
# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt
This just prints the results to the command-line. You probably want them saved to a file instead. Therefore, you want something like:
# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml
This saves the results in an XML file, allowing you to easily dump the results in a database or something.
But, this only goes at the default rate of 100 packets/second, which will take forever to scan the Internet. You need to speed it up as so:
# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000
This increases the rate to 100,000 packets/second, which will scan the entire Internet (minus excludes) in about 10 hours per port (or 655,360 hours if scanning all ports).
The thing to notice about this command-line is that these are all
nmap compatible options. In addition, “invisible” options compatible with
nmap are also set for you:
-sS -Pn -n --randomize-hosts --send-eth . Likewise, the format of the XML file is inspired by
nmap . There are, of course, a lot of differences, because the _ asynchronous _ nature of the program leads to a fundamentally different approach to the problem.
# My Scan rate = 100000.00 output-format = xml output-status = all output-filename = scan.xml ports = 0-65535 range = 0.0.0.0-255.255.255.255 excludefile = exclude.txt
To use this configuration file, use the
# masscan -c myscan.conf
This also makes things easier when you repeat a scan.
By default, _ masscan _ first loads the configuration file
/etc/masscan/masscan.conf . Any later configuration parameters override what’s in this default configuration file. That’s where I put my “excludefile” parameter, so that I don’t ever forget it. It just works automatically.