Masscan: Scan your whole Internet in beneath 5 minutes

Masscan: Scan your whole Internet in beneath 5 minutes

Build Status

Here’s an Internet-scale port scanner. It’ll scan your whole Internet
in beneath 5 minutes, transmitting 10 million packets per 2d,
from a single machine.

Its utilization (parameters, output) is corresponding to nmap, basically the most current port scanner.
When in doubt, strive a form of aspects — aspects that make stronger standard
scanning of many machines are supported, whereas in-depth scanning of single
machines are not.

Internally, it makes spend of asynchronous transmission, corresponding to port scanners
fancy scanrand, unicornscan, and ZMap. It’s extra flexible, allowing
arbitrary port and address ranges.

NOTE: masscan makes spend of its comprise advert hoc TCP/IP stack. Something as antagonistic to
easy port scans may presumably presumably trigger battle with the native TCP/IP stack. This implies you
must make spend of either the --src-ip solution to bustle from a diversified IP address, or
spend --src-port to configure which source ports masscan makes spend of, then also
configure the inner firewall (fancy pf or iptables) to firewall those ports
from the leisure of the working arrangement.

This tool is free, nevertheless pick into consideration contributing cash to its building:
Bitcoin pockets address: 1MASSCANaHUiyTtR3bJ2sLGuMw5kDBaj4T

On Debian/Ubuntu, it goes one thing fancy the next. It doesn’t
indubitably non-public any dependencies as antagonistic to a C compiler (corresponding to gcc
or clang).

sudo correct-receive --prefer-yes set up git assemble gcc
git clone https://github.com/robertdavidgraham/masscan
cd masscan
assemble

This places this plot within the masscan/bin subdirectory.
To set up it (on Linux) bustle:

The source consists of a form of miniature recordsdata, so building goes loads quicker
by utilizing the multi-threaded assemble. This requires extra than 2gigs on a
Raspberry Pi (and breaks), so that you just may presumably spend a smaller number, fancy -j4 as another of
all that you just may presumably presumably be take into consideration threads.

While Linux is the major target platform, the code runs effectively on many other
techniques (Windows, macOS, etc.). Here’s some extra assemble info:

  • Windows w/ Visual Studio: spend the VS10 accomplishing
  • Windows w/ MinGW: exact form assemble
  • Windows w/ cygwin: may presumably presumably not work
  • Mac OS X /w XCode: spend the XCode4 accomplishing
  • Mac OS X /w cmdline: exact form assemble
  • FreeBSD: form gmake
  • other: strive exact compiling the total recordsdata together, cc src/*.c -o bin/masscan

On macOS, the x86 binaries appear to work exact as like a flash beneath ARM emulation.

Utilization is corresponding to nmap. To scan a community phase for some ports:

# masscan -p80,8000-8100 10.0.0.0/8 2603: 3001:2nd00:da00::/112

This can:

  • scan the 10.x.x.x subnet, and 2603: 3001:2nd00:da00::x subnets
  • scans port 80 and the fluctuate 8000 to 8100, or 102 ports total, on both subnets
  • print output to that is most likely to be redirected to a file

To undercover agent the total list of choices, spend the --echo characteristic. This
dumps the most recent configuration and exits. This output is most likely to be ragged as input inspire
into this plot:

Banner checking

Masscan can extinguish extra than exact detect whether ports are commence. It may perhaps presumably presumably
complete the TCP connection and interplay with the utility at that
port in affirm to grab easy “banner” info.

Masscan supports banner checking on the next protocols:

  • FTP
  • HTTP
  • IMAP4
  • memcached
  • POP3
  • SMTP
  • SSH
  • SSL
  • SMBv1
  • SMBv2
  • Telnet
  • RDP
  • VNC

The grief with this is that masscan contains its comprise TCP/IP stack
wreck free the arrangement you bustle it on. When the native arrangement receives
a SYN-ACK from the probed target, it responds with a RST packet that kills
the connection sooner than masscan can take dangle of the banner.

The intention to quit this is to attach masscan a separate IP
address. This would gape fancy undoubtedly one of the most next examples:

# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200
  # masscan 2a00: 1450: 4007: 810::/112 -p80 --banners --source-ip 2603: 3001:2nd00:da00: 91d7:b54:b498: 859d

The address you care for has to be on the native subnet and not otherwise
be ragged by another arrangement. Masscan will warn you that you just non-public made a
mistake, nevertheless you may presumably’ve tousled the choice machine’s communications
for several minutes, so watch out.

In some circumstances, corresponding to WiFi, this will not be that you just may presumably presumably be take into consideration. In those circumstances, you may presumably
firewall the port that masscan makes spend of. This prevents the native TCP/IP stack
from seeing the packet, nevertheless masscan quiet sees it since it bypasses the
native stack. For Linux, this may perhaps gape fancy:

# iptables -A INPUT -p tcp --dport 61000 -j DROP
# masscan 10.0.0.0/8 -p80 --banners --source-port 61000

You in all likelihood must grab ports that assemble not battle with ports Linux may presumably presumably otherwise
care for for source-ports. You may presumably presumably presumably undercover agent the fluctuate Linux makes spend of, and reconfigure
that alter, by taking a gape within the file:

/proc/sys/assemble/ipv4/ip_local_port_range

On the most recent model of Kali Linux (2018-August), that alter is 32768 to 60999, so
you may presumably quiet care for ports either beneath 32768 or 61000 and above.

Setting an iptables rule most effective lasts unless the next reboot. It’s vital to lookup
assign the configuration depending upon your distro, corresponding to utilizing iptables-assign
and/or iptables-continual.

On Mac OS X and BSD, there are a similar steps. To search out out the ranges to steer determined of,
spend a disclose fancy the next:

# sysctl assemble.inet.ip.portrange.first assemble.inet.ip.portrange.final

On FreeBSD and older MacOS, spend an ipfw disclose:

# sudo ipfw add 1 reveal tcp from any to any 40000 in
# masscan 10.0.0.0/8 -p80 --banners --source-port 40000

On more recent MacOS and OpenBSD, spend the pf packet-filter utility.
Edit the file /etc/pf.conf so that you just may perhaps add a line fancy the next:

block in proto tcp from any to any port 40000

Then to enable the firewall, bustle the disclose:

If the firewall is already working, then either reboot or reload the principles
with the next disclose:

Windows doesn’t reply with RST packets, so neither of those techniques
are mandatory. Alternatively, masscan is quiet designed to work simplest utilizing its
comprise IP address, so that you just may presumably quiet bustle that intention when that you just may presumably presumably be take into consideration, even when it’s
not strictly mandatory.

The a similar thing is wished for other checks, corresponding to the --heartbleed test,
which is true a originate of banner checking.

scan your whole Internet

While invaluable for smaller, inner networks, this plot is indubitably designed
along with your whole Internet in solutions. It may perhaps presumably presumably gape one thing fancy this:

# masscan 0.0.0.0/0 -p0-65535

Scanning your whole Internet is unfriendly. For one thing, substances of the Internet react
badly to being scanned. For an additional thing, some websites notice scans and add you
to a ban list, that may presumably presumably receive you firewalled from invaluable substances of the Internet.
Therefore, you will need to have to exclude a form of ranges. To blacklist or exclude ranges,
you will need to have to make spend of the next syntax:

# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt

This exact prints the outcomes to the disclose-line. You in all likelihood need them
saved to a file as another. Therefore, you are going to have to non-public one thing fancy:

# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml

This protects the outcomes in an XML file, allowing you to with out considerations dump the
ends in a database or one thing.

Nonetheless, this most effective goes on the default rate of 100 packets/2d, that may presumably presumably
pick forever to scan the Internet. It’s vital to bustle it up as so:

# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000

This may occasionally increase the proceed to 100,000 packets/2d, that may presumably presumably scan the
whole Internet (minus excludes) in about 10 hours per port (or 655,360 hours
if scanning all ports).

The object to search around for about this disclose-line is that these are all nmap
effectively matched choices. As well to, “invisible” choices effectively matched with nmap
are also blueprint for you: -sS -Pn -n --randomize-hosts --send-eth. Likewise,
the format of the XML file is impressed by nmap. There are, clearly, a
lot of variations, on legend of the asynchronous nature of this plot
leads to a fundamentally diversified intention to the grief.

The above disclose-line is rather cumbersome. In its save of placing every little thing
on the disclose-line, it’s miles most likely to be stored in a file as another. The above settings
would gape fancy this:

# My Scan
rate =  100000.00
output-format = xml
output-reputation = all
output-filename = scan.xml
ports = 0-65535
fluctuate = 0.0.0.0-255.255.255.255
excludefile = exclude.txt

To make spend of this configuration file, spend the -c:

This also makes issues more straightforward within the event you repeat a scan.

By default, masscan first loads the configuration file
/etc/masscan/masscan.conf. Any later configuration parameters override what’s
on this default configuration file. That’s where I save my “excludefile”
parameter so as that I assemble not ever neglect it. It exact works mechanically.

Getting output

By default, masscan produces rather enormous text recordsdata, nevertheless it absolutely’s easy
to convert them into every other format. There are five supported output formats:

  1. xml: Beautiful spend the parameter -oX .
    Or, spend the parameters --output-format xml and --output-filename .

  2. binary: Here’s the masscan builtin format. It produces great smaller recordsdata so as that
    after I scan the Internet my disk doesn’t maintain up. They must be parsed,
    though. The disclose-line option --readscan will read binary scan recordsdata.
    The utilization of --readscan with the -oX option will receive an XML model of the
    results file.

  3. grepable: Here’s an implementation of the Nmap -oG
    output that is most likely to be with out considerations parsed by disclose-line tools. Beautiful spend the
    parameter -oG . Or, spend the parameters --output-format grepable and
    --output-filename .

  4. json: This protects the outcomes in JSON format. Beautiful spend the
    parameter -oJ . Or, spend the parameters --output-format json and
    --output-filename .

  5. list: Here’s a straightforward list with one host and port pair
    per line. Beautiful spend the parameter -oL . Or, spend the parameters
    --output-format list and --output-filename . The format is:

    Comparability with Nmap

    The save cheap, each and each effort has been taken to assemble this plot familiar
    to nmap users, despite the indisputable truth that it be fundamentally diversified. Masscan is tuned
    for excellent preference scanning of a form of machines, whereas nmap is designed for
    intensive scanning of a single machine or a miniature fluctuate.

    Two vital variations are:

    • no default ports to scan, it be vital to specify -p
    • target hosts are IP addresses or easy ranges, not DNS names, nor
      the funky subnet ranges nmap can spend (fancy 10.0.0-255.0-255).

    You may presumably presumably presumably judge of masscan as having the next settings completely
    enabled:

    • -sS: this does SYN scan most effective (at exclaim, will alternate sometime)
    • -Pn: doesn’t ping hosts first, which is key to the async operation
    • -n: no DNS resolution happens
    • --randomize-hosts: scan completely randomized, continuously, you may presumably’t alternate this
    • --send-eth: sends utilizing raw libpcap

    When you happen to will have to non-public a listing of extra nmap effectively matched settings, spend the next
    disclose:

    Transmit rate (IMPORTANT!!)

    This program spews out packets very like a flash. On Windows, or from VMs,
    it may presumably presumably extinguish 300,000 packets/2d. On Linux (no virtualization) it will
    extinguish 1.6 million packets-per-2d. That’s like a flash sufficient to soften most networks.

    Expose that it may presumably presumably most effective soften your comprise community. It randomizes the target
    IP addresses so as that it must not overwhelm any a ways away community.

    By default, the proceed is decided to 100 packets/2d. To expand the proceed to
    a million spend one thing fancy --rate 1000000.

    When scanning the IPv4 Internet, you may presumably be scanning a huge selection of subnets,
    so despite the indisputable truth that there is a high rate of packets going out, each and each
    target subnet will assemble a miniature rate of incoming packets.

    Alternatively, with IPv6 scanning, you may presumably tend to house a single
    target subnet with billions of addresses. Thus, your default
    conduct will overwhelm the target community. Networks in most cases
    shatter beneath the burden that masscan can generate.

    This portion describes the major assemble factors of this plot.

    Code Format

    The file major.c contains the major() characteristic, as you would save a query to. It also
    contains the transmit_thread() and receive_thread() capabilities. These
    capabilities had been deliberately flattened and heavily commented so as that you just
    can read the assemble of this plot merely by stepping line-by-line via
    each and each of those.

    Asynchronous

    Here’s an asynchronous assemble. In other words, it’s to nmap what
    the nginx web-server is to Apache. It has separate transmit and assemble
    threads which may perhaps presumably presumably be largely honest from one another. It’s the same form of
    assemble exclaim in scanrand, unicornscan, and ZMap.

    Attributable to it be asynchronous, it runs as like a flash as the underlying packet transmit
    lets in.

    Randomization

    A key disagreement between Masscan and other scanners is the trend it randomizes
    targets.

    The basic theory is to non-public a single index variable that begins at
    zero and is incremented by one for each and each probe. In C code, this is expressed
    as:

    for (i = 0; i < fluctuate; i++) {
        scan(i);
    }
    

    We non-public now got to translate the index into an IP address. Let's affirm that you just will need to have to
    scan all "non-public" IP addresses. That is most likely to be the desk of ranges fancy:

    192.168.0.0/16
    10.0.0.0/8
    172.16.0.0/12
    

    On this case, the first 64okay indexes are appended to 192.168.x.x to originate
    the target address. Then, the next 16-million are appended to 10.x.x.x.
    The final indexes within the fluctuate are utilized to 172.16.x.x.

    On this case, we most effective non-public three ranges. When scanning your whole Internet,
    we now non-public got in notice extra than 100 ranges. That's on legend of it be vital to blacklist
    or exclude a form of sub-ranges. This chops up the specified fluctuate into a complete bunch
    of smaller ranges.

    This leads to undoubtedly one of the most slowest substances of the code. We transmit 10 million
    packets per 2d and want to convert an index variable to an IP address
    for each and each and each and each probe. We solve this by doing a "binary search" in a miniature
    quantity of memory. At this packet rate, cache efficiencies originate to dominate
    over algorithm efficiencies. There are a form of extra efficient techniques in
    theory, nevertheless all of them require so great memory as to be slower in notice.

    We call the characteristic that interprets from an index into an IP address
    the grab() characteristic. In spend, it seems to be to be fancy:

    for (i = 0; i < fluctuate; i++) {
        ip = grab(addresses, i);
        scan(ip);
    }
    

    Masscan supports not most effective IP address ranges, nevertheless also port ranges. This implies
    we now non-public got to grab from the index variable both an IP address and a port. This
    is rather straightforward:

    fluctuate = ip_count port_count;
    for (i = 0; i < fluctuate; i++) {
        ip   = grab(addresses, i / port_count);
        port = grab(ports,     i % port_count);
        scan(ip, port);
    }
    

    This leads to another costly part of the code. The division/modulus
    instructions are around 90 clock cycles, or 30 nanoseconds, on x86 CPUs. When
    transmitting at a rate of 10 million packets/2d, we now non-public got most effective
    100 nanoseconds per packet. I undercover agent no intention to optimize this any better. Fortunately,
    though, two such operations is most likely to be carried out simultaneously, so doing two
    of those, as shown above, will not be any extra costly than doing one.

    There are indubitably some easy optimizations for the above performance considerations,
    nevertheless all of them count upon i++, the indisputable truth that the index variable will increase one
    by one via the scan. In level of truth, we now non-public got to randomize this variable. We
    must randomize the exclaim of IP addresses that we scan or we are going to blast the
    heck out of target networks that aren't built for this stage of proceed. We
    must spread our online page online visitors evenly over the target.

    The intention we randomize is merely by encrypting the index variable. By definition,
    encryption is random and creates a 1-to-1 mapping between the authentic index
    variable and the output. This implies that whereas we linearly struggle via the
    fluctuate, the output IP addresses are completely random. In code, this seems to be to be fancy:

    fluctuate = ip_count port_count;
    for (i = 0; i < fluctuate; i++) {
        x = encrypt(i);
        ip   = grab(addresses, x / port_count);
        port = grab(ports,     x % port_count);
        scan(ip, port);
    }
    

    This also has a chief rate. Since the fluctuate is an unpredictable size as another
    of a nice even energy of 2, we are going to have the choice to not spend cheap binary techniques fancy
    AND (&) and XOR (^). In its save, we now non-public got to make spend of high-priced operations fancy
    MODULUS (%). In my most modern benchmarks, it be taking 40 nanoseconds to
    encrypt the variable.

    This structure lets in for many frigid aspects. As an instance, it supports
    "shards". You may presumably presumably presumably blueprint up 5 machines each and each doing a fifth of the scan or
    fluctuate / shard_count. Shards is most likely to be a pair of machines, or merely a pair of
    community adapters on the same machine, and even (must you are going to have to non-public) a pair of IP
    source addresses on the same community adapter.

    Or, you may presumably spend a 'seed' or 'key' to the encryption characteristic, so as that you just receive
    a diversified exclaim every time you scan, fancy x = encrypt(seed, i).

    We may presumably presumably terminate the scan by exiting out of this plot, and merely
    remembering the most recent worth of i, and restart it later. I extinguish that loads
    at some level of making. I undercover agent one thing going ride with my Internet scan, so
    I hit to quit the scan, then restart it after I've mounted the malicious program.

    One more characteristic is retransmits/retries. Packets usually receive dropped on the
    Internet, so that you just may presumably send two packets inspire-to-inspire. Alternatively, one thing that
    drops one packet may presumably presumably tumble the without lengthen following packet. Therefore, you
    must send the reproduction about 1 2d apart. Here's easy. We non-public now got already bought
    a 'rate' variable, which is the preference of packets-per-2d rate we're
    transmitting at, so the retransmit characteristic is merely to make spend of i + rate
    as the index. One amongst this exclaim day I'll extinguish a peep of the Internet,
    and differentiate "inspire-to-inspire", "1 2d", "10 2d", and "1 minute"
    retransmits this vogue in affirm to undercover agent if there is any disagreement in what
    will get dropped.

    C10 Scalability

    The asynchronous technique is diagnosed as a solution to the "c10okay grief".
    Masscan is designed for the next stage of scalability, the "C10M grief".

    The C10M solution is to circumvent the kernel. There are three major kernel
    bypasses in Masscan:

    • customized community driver
    • user-mode TCP stack
    • user-mode synchronization

    Masscan can spend the PF_RING DNA driver. This driver DMAs packets without lengthen
    from user-mode memory to the community driver with zero kernel involvement.
    That lets in instrument, even with a slack CPU, to transmit packets at basically the most
    rate the hardware lets in. When you happen to position 8 10-gbps community playing cards in a computer,
    this means it may presumably presumably transmit at 100-million packets/2d.

    Masscan has its comprise built-in TCP stack for grabbing banners from TCP
    connections. This implies it may presumably presumably with out considerations make stronger 10 million concurrent TCP
    connections, assuming clearly that the computer has sufficient memory.

    Masscan has no "mutex". Contemporary mutexes (aka. futexes) are largely user-mode,
    nevertheless they've two considerations. The major grief is that they trigger cache-traces
    to jump swiftly inspire-and-forth between CPUs. The 2d is that when there
    is contention, they are going to extinguish a tool call into the kernel, which kills
    performance. A mutex on the like a flash route of a program severely limits scalability.
    In its save, Masscan makes spend of "rings" to synchronize issues, corresponding to when the
    user-mode TCP stack within the assemble thread needs to transmit a packet with out
    interfering with the transmit thread.

    Portability

    The code runs effectively on Linux, Windows, and Mac OS X. The whole vital bits are
    in recent C (C90). Therefore, it compiles on Visual Studio with Microsoft's
    compiler, the Clang/LLVM compiler on Mac OS X, and GCC on Linux.

    Windows and Macs are not tuned for packet transmit, and receive most effective about 300,000
    packets-per-2d, whereas Linux can extinguish 1,500,000 packets/2d. That's
    doubtlessly quicker than you are going to have to non-public anyway.

    Gain code

    A bounty is offered for vulnerabilities, undercover agent the VULNINFO.md file for added
    info.

    This accomplishing makes spend of receive capabilities fancy strcpy_s() as another of unsafe capabilities
    fancy strcpy().

    This accomplishing has automatic unit regression tests (assemble regress).

    Compatibility

    Pretty loads of effort has long past into making the input/output gape fancy nmap, which
    every person who does port scans is (or have to be) familiar with.

    IPv6 and IPv4 coexistence

    Masscan supports IPv6, nevertheless there will not be this kind of thing as a special mode, both are supported
    on the same time. (There'll not be always a -6 option -- it be continuously readily available).

    In any instance you undercover agent of masscan utilization,
    merely save an IPv6 address where you undercover agent an IPv4 address. You may presumably presumably presumably consist of
    IPv4 and IPv6 addresses simultaneously within the same scan. Output entails
    the actual address on the same location, with no special marking.

    Beautiful care for in solutions that IPv6 address space is indubitably enormous. You in all likelihood assemble not must scan
    for giant ranges, excluding possibly the first 64okay addresses of a subnet that had been assigned
    via DHCPv6.

    In its save, you may presumably doubtlessly must scan enormous lists of addresses stored
    in a file (--consist of-file filename.txt) that you just bought from other sources.
    Cherish all over else, this file can comprise lists of both IPv4 and IPv6 addresses.
    The test file I spend contains 8 million addresses. Files of that size want a pair
    extra seconds to be read on startup (masscan sorts the addresses and removes
    duplicates sooner than scanning).

    Do not put out of your mind that masscan contains its comprise community stack. Thus, the native machine
    you bustle masscan from doesn't must be IPv6 enabled -- though the native
    community needs with the draw to route IPv6 packets.

    PF_RING

    To receive beyond 2 million packets/2d, you would like an Intel 10-gbps Ethernet
    adapter and a special driver diagnosed as "PF_RING ZC" from ntop. Masscan doesn't must be rebuilt in affirm to make spend of PF_RING. To make spend of PF_RING,
    it be vital to assemble the next substances:

    • libpfring.so (installed in /usr/lib/libpfring.so)
    • pf_ring.ko (their kernel driver)
    • ixgbe.ko (their model of the Intel 10-gbps Ethernet driver)

    You assemble not must assemble their model of libpcap.so.

    When Masscan detects that an adapter is named one thing fancy zc:enp1s0 as another
    of one thing fancy enp1s0, it will mechanically switch to PF_RING ZC mode.

    A extra detail dialogue is most likely to be exclaim in PoC||GTFO 0x15.

    Regression discovering out

    The accomplishing contains a built-in unit test:

    $ assemble test
    bin/masscan --selftest
    selftest: success!
    

    This tests a form of sophisticated bits of the code. You may presumably presumably presumably quiet extinguish this after building.

    Performance discovering out

    To test performance, bustle one thing fancy the next to a throw-away address,
    to steer determined of overloading your native router:

    $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11
    

    The artificial --router-mac retains packets on the native community segments so as that
    they'd presumably not exit to the Internet.

    You may presumably presumably presumably additionally test in "offline" mode, which is how like a flash this plot runs
    with out the transmit overhead:

    $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline
    

    This 2d benchmark reveals roughly how like a flash this plot would bustle if it had been
    utilizing PF_RING, which has shut to zero overhead.

    By the trend, the randomization algorithm makes heavy spend of "integer arithmetic",
    a chronically slack operation on CPUs. Contemporary CPUs non-public doubled the proceed
    at which they assemble this calculation, making masscan great quicker.

    This tool created by Robert Graham:
    email: [email protected]
    twitter: @ErrataRob

Read Extra

Share your love