How To Scan the Internet in 5 Minutes
Masscan is an open source network security scanning tool that stands out among others, thanks to its high-speed capacity. We explored what the tool is about and how to use it to scan large networks with blazing fast performance.
For information security personnel and bug bounty hunters, scanning a local network or, at the wildest, the internet for open ports is crucial for identifying vulnerabilities in a system.
Port scanning is helpful for various research and ethical hacking purposes such as penetration testing because it allows cybersecurity teams to identify loopholes and strengthen the system against such attacks.
To carry out the port scanning task, various tools have been developed such as Nmap.
However, Masscan is a tool that combines the ability of these popular tools with a high speed of up to ten million packets per second and allows you to scan the entire internet in a few minutes.
In this tutorial, we will learn about Masscan and how you can use it to scan the internet in 5 minutes.
What is Masscan?
Masscan is an asynchronous TCP port scanner that works similarly to the popular Nmap scanner.
Even though it is easily used for offensive purposes, Masscan was created to help security experts scan ports on the internet as fast as possible. The creator, Robert Graham, affirms that it takes only 6 minutes at around 10 million packets per second to scan the entire internet.
Masscan is written in C programming language and is made open source with over 49 contributors on GitHub.
Masscan notable features
Masscan uses an asynchronous transmission architecture that allows it to send out probes without having to wait for replies. This feature gives it the ability to transmit up to 10 million packets per second.
The Masscan software can be compiled, installed, and run on major operating systems, including Linux, Windows, and macOS.
In addition to its fast port scanning ability, Masscan can also fetch basic banner information from FTP, HTTP, SMTP, SSL, Telnet, and some other protocols.
One of the significant features that make Masscan readily adoptable by security experts is its compatibility with the widely used Nmap scanner. Masscan usage and output are very similar to that of Nmap, with speed being a major difference.
Apart from speed, Nmap scans, by default, about 1000 ports; Masscan has no ports to scan by default. Masscan also does not perform any DNS name sorting and supports only IP addresses, while Nmap provides support for both DNS and IP addresses.
Masscan is compatible with the three major operating systems, but we will cover only the Linux and macOS installation procedures.
Installing Masscan on Linux (Debian/Ubuntu)
The first step is to install the necessary dependencies for Masscan to run; in this case, a C compiler is the primary dependency Masscan needs.
apt-get install clang git gcc make libpcap-dev
Then we clone the source code from the official repository using:
git clone https://github.com/robertdavidgraham/masscan cd masscan make
This will install the binary under the bin/masscan directory.
Installing Masscan on macOS
You can easily install Masscan on macOS by using the Homebrew command;
brew install masscan
How To Use Masscan
Masscan is a beginner-friendly and easy to use tool to scan ports across various network sizes.
Single IP Port Scan
As much as it is efficient for scanning an extensive network like the internet, Masscan can also scan a single IP on a single port.
For example, if you want to scan an IP address 192.158. 1.38 for port 443 use the command;
masscan 192.158. 1.38 -p443
You can also scan multiple ports on a single Ip address using comma (,) as the separator.
To scan for ports 80, 25, and 443 on 192.158. 1.38 IP address/subnet;
masscan 192.158. 1.38 -p80,25,443
You can also scan a range of ports on a single IP using dash (-) as the separator.
masscan 192.158. 1.38 -p25-80
Scanning Top Ports
Masscan also enables you to scan the most popular ports using Nmap's "--top-ports" option while specifying "n," the number of popular Nmap ports to scan.
The syntax looks like "--top-ports n."
To scan IP address, 192.158. 1.38, for the top 20 ports;
masscan 192.158. 1.38 --top-ports 20
"--top-ports," Masscan also has other default options such as
--echo, --readscan, --heartbleed, and
--excludefile. We will see the usage of some of them later in this tutorial.
Increasing Masscan Transmission Speed
By default, Masscan scans at a rate of 100 packets per second. To harness the full speed of Masscan, you can specify it using the
To scan a subnet 192.158. 1.38/20 for the top 20 ports at the rate of 10,000 packets per second, we use the following command;
masscan 192.158. 1.38/20 --top-ports 20 --rate 10000
The maximum scanning rate of Masscan is ten million packets per second but how fast your scanning can go depends on your operating system, your system resources, and its bandwidth. The transmission rate goes up to 1.6 million packets per second on Linux, and it can transmit as fast as 300,000 packets per second on windows or VMs.
To make the output of a Masscan readable and usable for further practical analyses, you can save the output by directing it to a file:
masscan 192.158. 1.38/20 --top-ports 20 --rate 10000>result.txt
This will save the output of the top 20 ports of the subnet above to the result.txt file.
In addition to the text output format, you can also save the output of a scan into an XML, JSON, list, and Grapable file.
oX <filename>for XM files
oJ <filename>for JSON files
oG <filename>for Grepable files which is readable for other command line tools
oL<filename>to present the output in a more readable list than .txt files.
You may need to reduce the number of target hosts to be scanned or exclude a range of hosts from your Scan for some reasons. Masscan provides the "--excludefile" option to be followed by a file containing the range of targets to be excluded.
masscan 192.158. 1.38/20 --top-ports 20 --excludefile exclude.txt
This will exclude the range of hosts specified in the exclude.txt file.
Masscan also offers the ability to save the necessary configurations of a Masscan in a configuration file that can be used multiple times.
You can create a configuration file for example;
# Example Scan rate = 10000.00 output-format = txt output-status = all output-filename = result.txt ports = 0-8080 range = 0.0.0.0-255.255.255.255 excludefile = exclude.txt
To save this configuration file for future use, run the following command;
masscan -c examplescan.conf
Scanning The Entire Internet
Using Masscan, you can scan the entire internet against a single port, a range of ports, or all ports for each host.
To Scan against a single port (80)
masscan 0.0.0.0/0 -p80 --rate 1000000
To scan against all 65535 ports
masscan 0.0.0,0/0 -p0-65535 --rate 1000000
Scanning the whole internet should, however, be done cautiously. It will yield a massive output, and you could also be probing government IP addresses and digital traps.
Real-Life Use Case of Masscan
An example of a practical use case of Masscan is the recent mass attack on Kubernetes IP addresses by the renowned hacking team, TeamTNT.
In the attack that has affected over 50,000 Kubernetes servers, TeamTNT employed Masscan to scan for open ports in a Kubernetes cluster. Masscan can identify all open ports in the Kubernetes cluster, including port 10250, the port of the Kubelet API left open.
After exposing the Kubelet API port 10250 to the internet using Masscan, the hackers were able to penetrate the Kubelet environment, thereby extending further scans into the Kubernetes environment. This eventually gave them access to the pods and containers in the Kubernetes cluster to carry out their malicious activities.
How Hackers Are Using Masscan For Bug Bounty
In conjunction with other tools, hackers use Masscan to automate, distribute and speed up scanning of IP addresses to extract useful data for bug bounties.
In the Video, Stok spun up a fleet of 15 instances with axiom to have the workload distributed for faster execution.
He then runs
axiom-scan, which scans each server and outputs the IP addresses available. He then use Masscan on port 80 (
Axiom sends an IP list (which in this case contains 17 IP addresses) to all running instances and starts the Masscan command against port 80 on each one of them.
With the distributed workload, Masscan is able to scan each of the 17 IP addresses in about 21 seconds and save the output into a file specified in the Masscan command.
Finally, he used a tool called awk to sort the output of the Masscan and present it in a more readable format for further research on possible bugs.
Get similar sotries in your inbox weekly, for free
Share this story with your friends
The team behind this website. We help IT leaders, decision-makers and IT professionals understand topics like Distributed Computing, AIOps & Cloud Native