A very common utility to scan open ports in a network is nmap. However, it uses synchronous SYN packets for data transmission and performs slowly. What if you want to scan a network with thousands of devices? masscan is a utility to scan the whole internet in less than 5 minutes!
masscan transmits 10 million packets per second using asynchronous transmission. It is the fastest port scanning tool at the time of writing. The syntax follows that of nmap (for port scanning closely) and allows arbitrary port and address ranges. masscan can be used for port scanning only because it comes bundled with its own TCP/IP stack.
A nice explanation from Rhomboid on Reddit on how masscan works for the layman:
“A SYN packet (the first packet of the three-way handshake used to establish a TCP connection) is only 52 bytes (66 with the Ethernet header), so with a decent connection you can spew them out at a very high rate. You can do the math yourself, but at 10 Gigabits / sec, and 232 addresses to cover, and 66 bytes per connection attempt, you arrive at something approaching 5 minutes.
However, this does require bypassing the operating system’s networking stack and using raw sockets, as otherwise the amount of data the operating system would spend actually tracking the state of all those connections would kill you. The key is that you’re not actually establishing any connections, so you don’t care about any of that. You just want to see if something responds or not. So this is very much not the same as calling the standard BSD socket
connect() call four billion times. In fact the sending side and the receiving side don’t even really need to coordinate. The sending side blasts out SYNs as fast as possible and the receiving side just makes a note of any addresses that reply.”
You can compile and install masscan on Ubuntu. Run the following commands:
$ sudo apt-get install libpcap-dev $ git clone https://github.com/robertdavidgraham/masscan $ cd masscan $ make //OR make -j
You must run a self-test to make sure everything works fine. Run:
$ make regress $ bin/masscan --regress selftest: success!
NOTE: To use masscan effectively with more than 2 million packets per second, you need the PF_RING DNA kernel driver from ntop and an Intel 10-gbps Ethernet adapter. You need to build the following files: libpfring.so, pf_ring.ko, ixgbe.ko. You might also find pre-compiled packages for your distribution here. When masscan finds an adapter like dna0 it will switch to the PF_RING mode automatically.
See complete list of options:
$ bin/masscan --echo
For help and explanation, run:
$ bin/masscan --help
To test a performance test on local network run:
$ sudo bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11
To test in offline mode without actual transmission:
$ sudo bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline
To scan the 10.x.x.x subnet (mask 255.0.0.0), port 80 and 8000-8100 range, run:
$ sudo bin/masscan -p80,8000-8100 10.0.0.0/8
To scan the internet (bad idea because your IP may be blacklisted):
$ sudo masscan 0.0.0.0/0 -p0-65535
If you want to exclude some IPs and export the list to a file, run:
$ sudo masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt -oX scan.xml
To increase the rate to 100,000 packets per sec, try:
$ sudo masscan 0.0.0.0/0 -p0-65535 --max-rate 100000
NOTE: On Windows (or from VMs) masscan can send up to 300,000 packets/second. On Linux without virtualization it can send up to 1.6 million packets-per-second.
You can put all these gory details in a configuration file and use it as input to masscan:
$ cat myscan.conf # My Scan rate = 100000.00 output-format = xml output-status = all output-filename = scan.xml ports = 0-65535 range = 0.0.0.0-255.255.255.255 excludefile = exclude.txt $ sudo masscan -c myscan.conf
On GitHub: masscan