Masscan: Scan your whole Internet in beneath 5 minutes

sudo correct-receive --prefer-yes set up git assemble gcc
git clone https://github.com/robertdavidgraham/masscan
cd masscan
assemble

# masscan -p80,8000-8100 10.0.0.0/8 2603: 3001:2nd00:da00::/112

Masscan can extinguish extra than exact detect whether ports are commence. It may perhaps presumably presumably
complete the TCP connection and interplay with the utility at that
port in affirm to grab easy “banner” info.

Masscan supports banner checking on the next protocols:

• FTP
• HTTP
• IMAP4
• memcached
• POP3
• SMTP
• SSH
• SSL
• SMBv1
• SMBv2
• Telnet
• RDP
• VNC

The grief with this is that masscan contains its comprise TCP/IP stack
wreck free the arrangement you bustle it on. When the native arrangement receives
a SYN-ACK from the probed target, it responds with a RST packet that kills
the connection sooner than masscan can take dangle of the banner.

The intention to quit this is to attach masscan a separate IP
address. This would gape fancy undoubtedly one of the most next examples:

# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200
  # masscan 2a00: 1450: 4007: 810::/112 -p80 --banners --source-ip 2603: 3001:2nd00:da00: 91d7:b54:b498: 859d

The address you care for has to be on the native subnet and not otherwise
be ragged by another arrangement. Masscan will warn you that you just non-public made a
mistake, nevertheless you may presumably’ve tousled the choice machine’s communications
for several minutes, so watch out.

In some circumstances, corresponding to WiFi, this will not be that you just may presumably presumably be take into consideration. In those circumstances, you may presumably
firewall the port that masscan makes spend of. This prevents the native TCP/IP stack
from seeing the packet, nevertheless masscan quiet sees it since it bypasses the
native stack. For Linux, this may perhaps gape fancy:

# iptables -A INPUT -p tcp --dport 61000 -j DROP
# masscan 10.0.0.0/8 -p80 --banners --source-port 61000

You in all likelihood must grab ports that assemble not battle with ports Linux may presumably presumably otherwise
care for for source-ports. You may presumably presumably presumably undercover agent the fluctuate Linux makes spend of, and reconfigure
that alter, by taking a gape within the file:

/proc/sys/assemble/ipv4/ip_local_port_range

On the most recent model of Kali Linux (2018-August), that alter is 32768 to 60999, so
you may presumably quiet care for ports either beneath 32768 or 61000 and above.

Setting an iptables rule most effective lasts unless the next reboot. It’s vital to lookup
assign the configuration depending upon your distro, corresponding to utilizing iptables-assign
and/or iptables-continual.

On Mac OS X and BSD, there are a similar steps. To search out out the ranges to steer determined of,
spend a disclose fancy the next:

# sysctl assemble.inet.ip.portrange.first assemble.inet.ip.portrange.final

On FreeBSD and older MacOS, spend an ipfw disclose:

# sudo ipfw add 1 reveal tcp from any to any 40000 in
# masscan 10.0.0.0/8 -p80 --banners --source-port 40000

On more recent MacOS and OpenBSD, spend the pf packet-filter utility.
Edit the file /etc/pf.conf so that you just may perhaps add a line fancy the next:

block in proto tcp from any to any port 40000

Then to enable the firewall, bustle the disclose:

If the firewall is already working, then either reboot or reload the principles
with the next disclose:

Windows doesn’t reply with RST packets, so neither of those techniques
are mandatory. Alternatively, masscan is quiet designed to work simplest utilizing its
comprise IP address, so that you just may presumably quiet bustle that intention when that you just may presumably presumably be take into consideration, even when it’s
not strictly mandatory.

The a similar thing is wished for other checks, corresponding to the --heartbleed test,
which is true a originate of banner checking.

scan your whole Internet

While invaluable for smaller, inner networks, this plot is indubitably designed
along with your whole Internet in solutions. It may perhaps presumably presumably gape one thing fancy this:

# masscan 0.0.0.0/0 -p0-65535

Scanning your whole Internet is unfriendly. For one thing, substances of the Internet react
badly to being scanned. For an additional thing, some websites notice scans and add you
to a ban list, that may presumably presumably receive you firewalled from invaluable substances of the Internet.
Therefore, you will need to have to exclude a form of ranges. To blacklist or exclude ranges,
you will need to have to make spend of the next syntax:

# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt

This exact prints the outcomes to the disclose-line. You in all likelihood need them
saved to a file as another. Therefore, you are going to have to non-public one thing fancy:

# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml

This protects the outcomes in an XML file, allowing you to with out considerations dump the
ends in a database or one thing.

Nonetheless, this most effective goes on the default rate of 100 packets/2d, that may presumably presumably
pick forever to scan the Internet. It’s vital to bustle it up as so:

# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000

This may occasionally increase the proceed to 100,000 packets/2d, that may presumably presumably scan the
whole Internet (minus excludes) in about 10 hours per port (or 655,360 hours
if scanning all ports).

The object to search around for about this disclose-line is that these are all nmap
effectively matched choices. As well to, “invisible” choices effectively matched with nmap
are also blueprint for you: -sS -Pn -n --randomize-hosts --send-eth. Likewise,
the format of the XML file is impressed by nmap. There are, clearly, a
lot of variations, on legend of the asynchronous nature of this plot
leads to a fundamentally diversified intention to the grief.

The above disclose-line is rather cumbersome. In its save of placing every little thing
on the disclose-line, it’s miles most likely to be stored in a file as another. The above settings
would gape fancy this:

# My Scan
rate =  100000.00
output-format = xml
output-reputation = all
output-filename = scan.xml
ports = 0-65535
fluctuate = 0.0.0.0-255.255.255.255
excludefile = exclude.txt

To make spend of this configuration file, spend the -c:

This also makes issues more straightforward within the event you repeat a scan.

By default, masscan first loads the configuration file
/etc/masscan/masscan.conf. Any later configuration parameters override what’s
on this default configuration file. That’s where I save my “excludefile”
parameter so as that I assemble not ever neglect it. It exact works mechanically.

Getting output

By default, masscan produces rather enormous text recordsdata, nevertheless it absolutely’s easy
to convert them into every other format. There are five supported output formats:

1. xml: Beautiful spend the parameter -oX .
   Or, spend the parameters --output-format xml and --output-filename .

2. binary: Here’s the masscan builtin format. It produces great smaller recordsdata so as that
   after I scan the Internet my disk doesn’t maintain up. They must be parsed,
   though. The disclose-line option --readscan will read binary scan recordsdata.
   The utilization of --readscan with the -oX option will receive an XML model of the
   results file.

3. grepable: Here’s an implementation of the Nmap -oG
   output that is most likely to be with out considerations parsed by disclose-line tools. Beautiful spend the
   parameter -oG . Or, spend the parameters --output-format grepable and
   --output-filename .

4. json: This protects the outcomes in JSON format. Beautiful spend the
   parameter -oJ . Or, spend the parameters --output-format json and
   --output-filename .

5. list: Here’s a straightforward list with one host and port pair
   per line. Beautiful spend the parameter -oL . Or, spend the parameters
   --output-format list and --output-filename . The format is:

   Comparability with Nmap

   The save cheap, each and each effort has been taken to assemble this plot familiar
   to nmap users, despite the indisputable truth that it be fundamentally diversified. Masscan is tuned
   for excellent preference scanning of a form of machines, whereas nmap is designed for
   intensive scanning of a single machine or a miniature fluctuate.

   Two vital variations are:

   • no default ports to scan, it be vital to specify -p
   • target hosts are IP addresses or easy ranges, not DNS names, nor
     the funky subnet ranges nmap can spend (fancy 10.0.0-255.0-255).

   You may presumably presumably presumably judge of masscan as having the next settings completely
   enabled:

   • -sS: this does SYN scan most effective (at exclaim, will alternate sometime)
   • -Pn: doesn’t ping hosts first, which is key to the async operation
   • -n: no DNS resolution happens
   • --randomize-hosts: scan completely randomized, continuously, you may presumably’t alternate this
   • --send-eth: sends utilizing raw libpcap

   When you happen to will have to non-public a listing of extra nmap effectively matched settings, spend the next
   disclose:

   Transmit rate (IMPORTANT!!)

   This program spews out packets very like a flash. On Windows, or from VMs,
   it may presumably presumably extinguish 300,000 packets/2d. On Linux (no virtualization) it will
   extinguish 1.6 million packets-per-2d. That’s like a flash sufficient to soften most networks.

   Expose that it may presumably presumably most effective soften your comprise community. It randomizes the target
   IP addresses so as that it must not overwhelm any a ways away community.

   By default, the proceed is decided to 100 packets/2d. To expand the proceed to
   a million spend one thing fancy --rate 1000000.

   When scanning the IPv4 Internet, you may presumably be scanning a huge selection of subnets,
   so despite the indisputable truth that there is a high rate of packets going out, each and each
   target subnet will assemble a miniature rate of incoming packets.

   Alternatively, with IPv6 scanning, you may presumably tend to house a single
   target subnet with billions of addresses. Thus, your default
   conduct will overwhelm the target community. Networks in most cases
   shatter beneath the burden that masscan can generate.

   This portion describes the major assemble factors of this plot.

   Code Format

   The file major.c contains the major() characteristic, as you would save a query to. It also
   contains the transmit_thread() and receive_thread() capabilities. These
   capabilities had been deliberately flattened and heavily commented so as that you just
   can read the assemble of this plot merely by stepping line-by-line via
   each and each of those.

   Asynchronous

   Here’s an asynchronous assemble. In other words, it’s to nmap what
   the nginx web-server is to Apache. It has separate transmit and assemble
   threads which may perhaps presumably presumably be largely honest from one another. It’s the same form of
   assemble exclaim in scanrand, unicornscan, and ZMap.

   Attributable to it be asynchronous, it runs as like a flash as the underlying packet transmit
   lets in.

   Randomization

   A key disagreement between Masscan and other scanners is the trend it randomizes
   targets.

   The basic theory is to non-public a single index variable that begins at
   zero and is incremented by one for each and each probe. In C code, this is expressed
   as:

   for (i = 0; i < fluctuate; i++) {
       scan(i);
   }
   

   We non-public now got to translate the index into an IP address. Let's affirm that you just will need to have to
   scan all "non-public" IP addresses. That is most likely to be the desk of ranges fancy:

   192.168.0.0/16
   10.0.0.0/8
   172.16.0.0/12
   

   On this case, the first 64okay indexes are appended to 192.168.x.x to originate
   the target address. Then, the next 16-million are appended to 10.x.x.x.
   The final indexes within the fluctuate are utilized to 172.16.x.x.

   On this case, we most effective non-public three ranges. When scanning your whole Internet,
   we now non-public got in notice extra than 100 ranges. That's on legend of it be vital to blacklist
   or exclude a form of sub-ranges. This chops up the specified fluctuate into a complete bunch
   of smaller ranges.

   This leads to undoubtedly one of the most slowest substances of the code. We transmit 10 million
   packets per 2d and want to convert an index variable to an IP address
   for each and each and each and each probe. We solve this by doing a "binary search" in a miniature
   quantity of memory. At this packet rate, cache efficiencies originate to dominate
   over algorithm efficiencies. There are a form of extra efficient techniques in
   theory, nevertheless all of them require so great memory as to be slower in notice.

   We call the characteristic that interprets from an index into an IP address
   the grab() characteristic. In spend, it seems to be to be fancy:

   for (i = 0; i < fluctuate; i++) {
       ip = grab(addresses, i);
       scan(ip);
   }
   

   Masscan supports not most effective IP address ranges, nevertheless also port ranges. This implies
   we now non-public got to grab from the index variable both an IP address and a port. This
   is rather straightforward:

   fluctuate = ip_count port_count;
   for (i = 0; i < fluctuate; i++) {
       ip   = grab(addresses, i / port_count);
       port = grab(ports,     i % port_count);
       scan(ip, port);
   }
   

   This leads to another costly part of the code. The division/modulus
   instructions are around 90 clock cycles, or 30 nanoseconds, on x86 CPUs. When
   transmitting at a rate of 10 million packets/2d, we now non-public got most effective
   100 nanoseconds per packet. I undercover agent no intention to optimize this any better. Fortunately,
   though, two such operations is most likely to be carried out simultaneously, so doing two
   of those, as shown above, will not be any extra costly than doing one.

   There are indubitably some easy optimizations for the above performance considerations,
   nevertheless all of them count upon i++, the indisputable truth that the index variable will increase one
   by one via the scan. In level of truth, we now non-public got to randomize this variable. We
   must randomize the exclaim of IP addresses that we scan or we are going to blast the
   heck out of target networks that aren't built for this stage of proceed. We
   must spread our online page online visitors evenly over the target.

   The intention we randomize is merely by encrypting the index variable. By definition,
   encryption is random and creates a 1-to-1 mapping between the authentic index
   variable and the output. This implies that whereas we linearly struggle via the
   fluctuate, the output IP addresses are completely random. In code, this seems to be to be fancy:

   fluctuate = ip_count port_count;
   for (i = 0; i < fluctuate; i++) {
       x = encrypt(i);
       ip   = grab(addresses, x / port_count);
       port = grab(ports,     x % port_count);
       scan(ip, port);
   }
   

   This also has a chief rate. Since the fluctuate is an unpredictable size as another
   of a nice even energy of 2, we are going to have the choice to not spend cheap binary techniques fancy
   AND (&) and XOR (^). In its save, we now non-public got to make spend of high-priced operations fancy
   MODULUS (%). In my most modern benchmarks, it be taking 40 nanoseconds to
   encrypt the variable.

   This structure lets in for many frigid aspects. As an instance, it supports
   "shards". You may presumably presumably presumably blueprint up 5 machines each and each doing a fifth of the scan or
   fluctuate / shard_count. Shards is most likely to be a pair of machines, or merely a pair of
   community adapters on the same machine, and even (must you are going to have to non-public) a pair of IP
   source addresses on the same community adapter.

   Or, you may presumably spend a 'seed' or 'key' to the encryption characteristic, so as that you just receive
   a diversified exclaim every time you scan, fancy x = encrypt(seed, i).

   We may presumably presumably terminate the scan by exiting out of this plot, and merely
   remembering the most recent worth of i, and restart it later. I extinguish that loads
   at some level of making. I undercover agent one thing going ride with my Internet scan, so
   I hit to quit the scan, then restart it after I've mounted the malicious program.

   One more characteristic is retransmits/retries. Packets usually receive dropped on the
   Internet, so that you just may presumably send two packets inspire-to-inspire. Alternatively, one thing that
   drops one packet may presumably presumably tumble the without lengthen following packet. Therefore, you
   must send the reproduction about 1 2d apart. Here's easy. We non-public now got already bought
   a 'rate' variable, which is the preference of packets-per-2d rate we're
   transmitting at, so the retransmit characteristic is merely to make spend of i + rate
   as the index. One amongst this exclaim day I'll extinguish a peep of the Internet,
   and differentiate "inspire-to-inspire", "1 2d", "10 2d", and "1 minute"
   retransmits this vogue in affirm to undercover agent if there is any disagreement in what
   will get dropped.

   C10 Scalability

   The asynchronous technique is diagnosed as a solution to the "c10okay grief".
   Masscan is designed for the next stage of scalability, the "C10M grief".

   The C10M solution is to circumvent the kernel. There are three major kernel
   bypasses in Masscan:

   • customized community driver
   • user-mode TCP stack
   • user-mode synchronization

   Masscan can spend the PF_RING DNA driver. This driver DMAs packets without lengthen
   from user-mode memory to the community driver with zero kernel involvement.
   That lets in instrument, even with a slack CPU, to transmit packets at basically the most
   rate the hardware lets in. When you happen to position 8 10-gbps community playing cards in a computer,
   this means it may presumably presumably transmit at 100-million packets/2d.

   Masscan has its comprise built-in TCP stack for grabbing banners from TCP
   connections. This implies it may presumably presumably with out considerations make stronger 10 million concurrent TCP
   connections, assuming clearly that the computer has sufficient memory.

   Masscan has no "mutex". Contemporary mutexes (aka. futexes) are largely user-mode,
   nevertheless they've two considerations. The major grief is that they trigger cache-traces
   to jump swiftly inspire-and-forth between CPUs. The 2d is that when there
   is contention, they are going to extinguish a tool call into the kernel, which kills
   performance. A mutex on the like a flash route of a program severely limits scalability.
   In its save, Masscan makes spend of "rings" to synchronize issues, corresponding to when the
   user-mode TCP stack within the assemble thread needs to transmit a packet with out
   interfering with the transmit thread.

   Portability

   The code runs effectively on Linux, Windows, and Mac OS X. The whole vital bits are
   in recent C (C90). Therefore, it compiles on Visual Studio with Microsoft's
   compiler, the Clang/LLVM compiler on Mac OS X, and GCC on Linux.

   Windows and Macs are not tuned for packet transmit, and receive most effective about 300,000
   packets-per-2d, whereas Linux can extinguish 1,500,000 packets/2d. That's
   doubtlessly quicker than you are going to have to non-public anyway.

   Gain code

   A bounty is offered for vulnerabilities, undercover agent the VULNINFO.md file for added
   info.

   This accomplishing makes spend of receive capabilities fancy strcpy_s() as another of unsafe capabilities
   fancy strcpy().

   This accomplishing has automatic unit regression tests (assemble regress).

   Compatibility

   Pretty loads of effort has long past into making the input/output gape fancy nmap, which
   every person who does port scans is (or have to be) familiar with.

   IPv6 and IPv4 coexistence

   Masscan supports IPv6, nevertheless there will not be this kind of thing as a special mode, both are supported
   on the same time. (There'll not be always a -6 option -- it be continuously readily available).

   In any instance you undercover agent of masscan utilization,
   merely save an IPv6 address where you undercover agent an IPv4 address. You may presumably presumably presumably consist of
   IPv4 and IPv6 addresses simultaneously within the same scan. Output entails
   the actual address on the same location, with no special marking.

   Beautiful care for in solutions that IPv6 address space is indubitably enormous. You in all likelihood assemble not must scan
   for giant ranges, excluding possibly the first 64okay addresses of a subnet that had been assigned
   via DHCPv6.

   In its save, you may presumably doubtlessly must scan enormous lists of addresses stored
   in a file (--consist of-file filename.txt) that you just bought from other sources.
   Cherish all over else, this file can comprise lists of both IPv4 and IPv6 addresses.
   The test file I spend contains 8 million addresses. Files of that size want a pair
   extra seconds to be read on startup (masscan sorts the addresses and removes
   duplicates sooner than scanning).

   Do not put out of your mind that masscan contains its comprise community stack. Thus, the native machine
   you bustle masscan from doesn't must be IPv6 enabled -- though the native
   community needs with the draw to route IPv6 packets.

   PF_RING

   To receive beyond 2 million packets/2d, you would like an Intel 10-gbps Ethernet
   adapter and a special driver diagnosed as "PF_RING ZC" from ntop. Masscan doesn't must be rebuilt in affirm to make spend of PF_RING. To make spend of PF_RING,
   it be vital to assemble the next substances:

   • libpfring.so (installed in /usr/lib/libpfring.so)
   • pf_ring.ko (their kernel driver)
   • ixgbe.ko (their model of the Intel 10-gbps Ethernet driver)

   You assemble not must assemble their model of libpcap.so.

   When Masscan detects that an adapter is named one thing fancy zc:enp1s0 as another
   of one thing fancy enp1s0, it will mechanically switch to PF_RING ZC mode.

   A extra detail dialogue is most likely to be exclaim in PoC||GTFO 0x15.

   Regression discovering out

   The accomplishing contains a built-in unit test:

   $ assemble test
   bin/masscan --selftest
   selftest: success!
   

   This tests a form of sophisticated bits of the code. You may presumably presumably presumably quiet extinguish this after building.

   Performance discovering out

   To test performance, bustle one thing fancy the next to a throw-away address,
   to steer determined of overloading your native router:

   $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11
   

   The artificial --router-mac retains packets on the native community segments so as that
   they'd presumably not exit to the Internet.

   You may presumably presumably presumably additionally test in "offline" mode, which is how like a flash this plot runs
   with out the transmit overhead:

   $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline
   

   This 2d benchmark reveals roughly how like a flash this plot would bustle if it had been
   utilizing PF_RING, which has shut to zero overhead.

   By the trend, the randomization algorithm makes heavy spend of "integer arithmetic",
   a chronically slack operation on CPUs. Contemporary CPUs non-public doubled the proceed
   at which they assemble this calculation, making masscan great quicker.

   This tool created by Robert Graham:
   email: [email protected]
   twitter: @ErrataRob