How To Scan the Internet in 5 Minutes

For information security personnel and bug bounty hunters, scanning a local network or, at the wildest, the internet for open ports is crucial for identifying vulnerabilities in a system.

Port scanning is helpful for various research and ethical hacking purposes such as penetration testing because it allows cybersecurity teams to identify loopholes and strengthen the system against such attacks.

To carry out the port scanning task, various tools have been developed such as Nmap.

However, Masscan is a tool that combines the ability of these popular tools with a high speed of up to ten million packets per second and allows you to scan the entire internet in a few minutes.

In this tutorial, we will learn about Masscan and how you can use it to scan the internet in 5 minutes.

What is Masscan?

Masscan is an asynchronous TCP port scanner that works similarly to the popular Nmap scanner.

Even though it is easily used for offensive purposes, Masscan was created to help security experts scan ports on the internet as fast as possible. The creator, Robert Graham, affirms that it takes only 6 minutes at around 10 million packets per second to scan the entire internet.

Masscan is written in C programming language and is made open source with over 49 contributors on GitHub.

Masscan notable features

Scalability

Masscan uses an asynchronous transmission architecture that allows it to send out probes without having to wait for replies. This feature gives it the ability to transmit up to 10 million packets per second.

Cross-Platform Compatibility

The Masscan software can be compiled, installed, and run on major operating systems, including Linux, Windows, and macOS.

Banner Checking

In addition to its fast port scanning ability, Masscan can also fetch basic banner information from FTP, HTTP, SMTP, SSL, Telnet, and some other protocols.

Nmap Compatibility

One of the significant features that make Masscan readily adoptable by security experts is its compatibility with the widely used Nmap scanner. Masscan usage and output are very similar to that of Nmap, with speed being a major difference.

Apart from speed, Nmap scans, by default, about 1000 ports; Masscan has no ports to scan by default. Masscan also does not perform any DNS name sorting and supports only IP addresses, while Nmap provides support for both DNS and IP addresses.

Installation

Masscan is compatible with the three major operating systems, but we will cover only the Linux and macOS installation procedures.

Installing Masscan on Linux (Debian/Ubuntu)

The first step is to install the necessary dependencies for Masscan to run; in this case, a C compiler is the primary dependency Masscan needs.

Then we clone the source code from the official repository using:

This will install the binary under the bin/masscan directory.

Installing Masscan on macOS

You can easily install Masscan on macOS by using the Homebrew command;

How To Use Masscan

Masscan is a beginner-friendly and easy to use tool to scan ports across various network sizes.

Single IP Port Scan

As much as it is efficient for scanning an extensive network like the internet, Masscan can also scan a single IP on a single port.

For example, if you want to scan an IP address 192.158. 1.38 for port 443 use the command;

Multi-Port Scan

You can also scan multiple ports on a single Ip address using comma (,) as the separator.

To scan for ports 80, 25, and 443 on 192.158. 1.38 IP address/subnet;

You can also scan a range of ports on a single IP using dash (-) as the separator.

Scanning Top Ports

Masscan also enables you to scan the most popular ports using Nmap's "--top-ports" option while specifying "n," the number of popular Nmap ports to scan.

The syntax looks like "--top-ports n."

To scan IP address, 192.158. 1.38, for the top 20 ports;

Aside from "--top-ports," Masscan also has other default options such as --echo, --readscan, --heartbleed, and --excludefile. We will see the usage of some of them later in this tutorial.

Increasing Masscan Transmission Speed

By default, Masscan scans at a rate of 100 packets per second. To harness the full speed of Masscan, you can specify it using the "--rate" option.

To scan a subnet 192.158. 1.38/20 for the top 20 ports at the rate of 10,000 packets per second, we use the following command;

The maximum scanning rate of Masscan is ten million packets per second but how fast your scanning can go depends on your operating system, your system resources, and its bandwidth. The transmission rate goes up to 1.6 million packets per second on Linux, and it can transmit as fast as 300,000 packets per second on windows or VMs.

Saving Output

To make the output of a Masscan readable and usable for further practical analyses, you can save the output by directing it to a file:

This will save the output of the top 20 ports of the subnet above to the result.txt file.

In addition to the text output format, you can also save the output of a scan into an XML, JSON, list, and Grapable file.

• oX <filename> for XM files
• oJ <filename> for JSON files
• oG <filename> for Grepable files which is readable for other command line tools
• oL<filename> to present the output in a more readable list than .txt files.

Excluding Targets

You may need to reduce the number of target hosts to be scanned or exclude a range of hosts from your Scan for some reasons. Masscan provides the "--excludefile" option to be followed by a file containing the range of targets to be excluded.

This will exclude the range of hosts specified in the exclude.txt file.

Saving Configuration

Masscan also offers the ability to save the necessary configurations of a Masscan in a configuration file that can be used multiple times.

You can create a configuration file for example;

To save this configuration file for future use, run the following command;

Scanning The Entire Internet

Using Masscan, you can scan the entire internet against a single port, a range of ports, or all ports for each host.

To Scan against a single port (80)

To scan against all 65535 ports

Scanning the whole internet should, however, be done cautiously. It will yield a massive output, and you could also be probing government IP addresses and digital traps.

Real-Life Use Case of Masscan

An example of a practical use case of Masscan is the recent mass attack on Kubernetes IP addresses by the renowned hacking team, TeamTNT.

In the attack that has affected over 50,000 Kubernetes servers, TeamTNT employed Masscan to scan for open ports in a Kubernetes cluster. Masscan can identify all open ports in the Kubernetes cluster, including port 10250, the port of the Kubelet API left open.

After exposing the Kubelet API port 10250 to the internet using Masscan, the hackers were able to penetrate the Kubelet environment, thereby extending further scans into the Kubernetes environment. This eventually gave them access to the pods and containers in the Kubernetes cluster to carry out their malicious activities.

How Hackers Are Using Masscan For Bug Bounty

In conjunction with other tools, hackers use Masscan to automate, distribute and speed up scanning of IP addresses to extract useful data for bug bounties.

A practical example is the use of maasscan with tools like axiom, Nmap bootstrap XSL, and Nmap as explained by Stok.

In the Video, Stok spun up a fleet of 15 instances with axiom to have the workload distributed for faster execution.

He then runs axiom-scan, which scans each server and outputs the IP addresses available. He then use Masscan on port 80 (masscan -p80)

Axiom sends an IP list (which in this case contains 17 IP addresses) to all running instances and starts the Masscan command against port 80 on each one of them.

With the distributed workload, Masscan is able to scan each of the 17 IP addresses in about 21 seconds and save the output into a file specified in the Masscan command.

Finally, he used a tool called awk to sort the output of the Masscan and present it in a more readable format for further research on possible bugs.