How To Scan the Internet in 5 Minutes

in CyberSecurity

NEWS TCIO.png

Masscan is an open source network security scanning tool that stands out among others, thanks to its high-speed capacity. We explored what the tool is about and how to use it to scan large networks with blazing fast performance.


    For information security personnel and bug bounty hunters, scanning a local network or, at the wildest, the internet for open ports is crucial for identifying vulnerabilities in a system.

    Port scanning is helpful for various research and ethical hacking purposes such as penetration testing because it allows cybersecurity teams to identify loopholes and strengthen the system against such attacks.

    To carry out the port scanning task, various tools have been developed such as Nmap.

    However, Masscan is a tool that combines the ability of these popular tools with a high speed of up to ten million packets per second and allows you to scan the entire internet in a few minutes.

    In this tutorial, we will learn about Masscan and how you can use it to scan the internet in 5 minutes.

    What is Masscan?

    Masscan is an asynchronous TCP port scanner that works similarly to the popular Nmap scanner.

    Even though it is easily used for offensive purposes, Masscan was created to help security experts scan ports on the internet as fast as possible. The creator, Robert Graham, affirms that it takes only 6 minutes at around 10 million packets per second to scan the entire internet.

    Masscan is written in C programming language and is made open source with over 49 contributors on GitHub.

    Masscan notable features

    Scalability

    Masscan uses an asynchronous transmission architecture that allows it to send out probes without having to wait for replies. This feature gives it the ability to transmit up to 10 million packets per second.

    Cross-Platform Compatibility

    The Masscan software can be compiled, installed, and run on major operating systems, including Linux, Windows, and macOS.

    Banner Checking

    In addition to its fast port scanning ability, Masscan can also fetch basic banner information from FTP, HTTP, SMTP, SSL, Telnet, and some other protocols.

    Nmap Compatibility

    One of the significant features that make Masscan readily adoptable by security experts is its compatibility with the widely used Nmap scanner. Masscan usage and output are very similar to that of Nmap, with speed being a major difference.

    Apart from speed, Nmap scans, by default, about 1000 ports; Masscan has no ports to scan by default. Masscan also does not perform any DNS name sorting and supports only IP addresses, while Nmap provides support for both DNS and IP addresses.

    Installation

    Masscan is compatible with the three major operating systems, but we will cover only the Linux and macOS installation procedures.

    Installing Masscan on Linux (Debian/Ubuntu)

    The first step is to install the necessary dependencies for Masscan to run; in this case, a C compiler is the primary dependency Masscan needs.

    apt-get install clang git gcc make libpcap-dev

    Then we clone the source code from the official repository using:

    git clone https://github.com/robertdavidgraham/masscan
    cd masscan
    make

    This will install the binary under the bin/masscan directory.

    Installing Masscan on macOS

    You can easily install Masscan on macOS by using the Homebrew command;

    brew install masscan

    How To Use Masscan

    Masscan is a beginner-friendly and easy to use tool to scan ports across various network sizes.

    Single IP Port Scan

    As much as it is efficient for scanning an extensive network like the internet, Masscan can also scan a single IP on a single port.

    For example, if you want to scan an IP address 192.158. 1.38 for port 443 use the command;

    masscan 192.158. 1.38 -p443

    Multi-Port Scan

    You can also scan multiple ports on a single Ip address using comma (,) as the separator.

    To scan for ports 80, 25, and 443 on 192.158. 1.38 IP address/subnet;

    masscan 192.158. 1.38 -p80,25,443

    You can also scan a range of ports on a single IP using dash (-) as the separator.

    masscan 192.158. 1.38 -p25-80

    Scanning Top Ports

    Masscan also enables you to scan the most popular ports using Nmap's "--top-ports" option while specifying "n," the number of popular Nmap ports to scan.

    The syntax looks like "--top-ports n."

    To scan IP address, 192.158. 1.38, for the top 20 ports;

    masscan 192.158. 1.38 --top-ports 20

    Aside from "--top-ports," Masscan also has other default options such as --echo, --readscan, --heartbleed, and --excludefile. We will see the usage of some of them later in this tutorial.

    Increasing Masscan Transmission Speed

    By default, Masscan scans at a rate of 100 packets per second. To harness the full speed of Masscan, you can specify it using the "--rate" option.

    To scan a subnet 192.158. 1.38/20 for the top 20 ports at the rate of 10,000 packets per second, we use the following command;

    masscan 192.158. 1.38/20 --top-ports 20 --rate 10000

    The maximum scanning rate of Masscan is ten million packets per second but how fast your scanning can go depends on your operating system, your system resources, and its bandwidth. The transmission rate goes up to 1.6 million packets per second on Linux, and it can transmit as fast as 300,000 packets per second on windows or VMs.

    Saving Output

    To make the output of a Masscan readable and usable for further practical analyses, you can save the output by directing it to a file:

    masscan 192.158. 1.38/20 --top-ports 20 --rate 10000>result.txt

    This will save the output of the top 20 ports of the subnet above to the result.txt file.

    In addition to the text output format, you can also save the output of a scan into an XML, JSON, list, and Grapable file.

    • oX <filename> for XM files
    • oJ <filename> for JSON files
    • oG <filename> for Grepable files which is readable for other command line tools
    • oL<filename> to present the output in a more readable list than .txt files.

    Excluding Targets

    You may need to reduce the number of target hosts to be scanned or exclude a range of hosts from your Scan for some reasons. Masscan provides the "--excludefile" option to be followed by a file containing the range of targets to be excluded.

    masscan 192.158. 1.38/20 --top-ports 20 --excludefile exclude.txt

    This will exclude the range of hosts specified in the exclude.txt file.

    Saving Configuration

    Masscan also offers the ability to save the necessary configurations of a Masscan in a configuration file that can be used multiple times.

    You can create a configuration file for example;

    # Example Scan
    rate = 10000.00
    output-format = txt
    output-status = all
    output-filename = result.txt
    ports = 0-8080
    range = 0.0.0.0-255.255.255.255
    excludefile = exclude.txt

    To save this configuration file for future use, run the following command;

    masscan -c examplescan.conf

    Scanning The Entire Internet

    Using Masscan, you can scan the entire internet against a single port, a range of ports, or all ports for each host.

    To Scan against a single port (80)

    masscan 0.0.0.0/0 -p80 --rate 1000000

    To scan against all 65535 ports

    masscan 0.0.0,0/0 -p0-65535 --rate 1000000

    Scanning the whole internet should, however, be done cautiously. It will yield a massive output, and you could also be probing government IP addresses and digital traps.

    Real-Life Use Case of Masscan

    An example of a practical use case of Masscan is the recent mass attack on Kubernetes IP addresses by the renowned hacking team, TeamTNT.

    In the attack that has affected over 50,000 Kubernetes servers, TeamTNT employed Masscan to scan for open ports in a Kubernetes cluster. Masscan can identify all open ports in the Kubernetes cluster, including port 10250, the port of the Kubelet API left open.

    After exposing the Kubelet API port 10250 to the internet using Masscan, the hackers were able to penetrate the Kubelet environment, thereby extending further scans into the Kubernetes environment. This eventually gave them access to the pods and containers in the Kubernetes cluster to carry out their malicious activities.

    How Hackers Are Using Masscan For Bug Bounty

    In conjunction with other tools, hackers use Masscan to automate, distribute and speed up scanning of IP addresses to extract useful data for bug bounties.

    A practical example is the use of maasscan with tools like axiom, Nmap bootstrap XSL, and Nmap as explained by Stok.

    In the Video, Stok spun up a fleet of 15 instances with axiom to have the workload distributed for faster execution.

    He then runs axiom-scan, which scans each server and outputs the IP addresses available. He then use Masscan on port 80 (masscan -p80)

    Axiom sends an IP list (which in this case contains 17 IP addresses) to all running instances and starts the Masscan command against port 80 on each one of them.

    With the distributed workload, Masscan is able to scan each of the 17 IP addresses in about 21 seconds and save the output into a file specified in the Masscan command.

    Finally, he used a tool called awk to sort the output of the Masscan and present it in a more readable format for further research on possible bugs.


    Get similar stories in your inbox weekly, for free



    Share this story with your friends
    editorial
    The Chief I/O

    The team behind this website. We help IT leaders, decision-makers and IT professionals understand topics like Distributed Computing, AIOps & Cloud Native

    Latest stories


    DevOps: Report on Devil's Practices by DORA

    The report is drafted from a report release of the annual research and survey of …

    Amazon Elasticsearch Gets a New Version With Name Deprecated

    Accompanied by new advancements is Amazon OpenSearch, the same body of code as its predecessor, …

    McAfee Partners With IBM Security to Deliver TD Synnex Security Solution

    The MVISION platform and Security wing of IBM's partnership endgame are to extend increased protection …

    Amazon MSK Connect Launched to Better Apache Kafka UX

    Amazon follows up on its 2018 data streaming software, Amazon Managed Streaming for Apache Kafka, …

    Cloud: Zone Redundant Storage Released on General Availability

    The report is drafted from a press release of the Microsoft Azure team on the …

    Security: IBM Traces Two-Thirds of Compromises to Misconfigured APIs

    The report is drafted from a sweeping survey of dark web analysis and various X-Force …