Masscan is an Internet-scale port scanner. It tin scan the entire Internet inwards nether six minutes, transmitting 10 meg packets per second, from a unmarried machine.
It's input/output is similar to nmap, the most famous port scanner. When inwards doubt, essay i of those features.
Internally, Masscan uses asynchronous tranmissions, similar to port scanners similar scanrand, unicornscan, together with ZenMap. It's to a greater extent than flexible, allowing arbitrary port together with address ranges.
NOTE: Masscan uses a its ain custom TCP/IP stack. Anything other than uncomplicated port scans may drive conflict amongst the local TCP/IP stack. This way you lot postulate to either the --src-ip selection to run from a unlike IP address, or utilization --src-port to configure which source ports masscan uses, together with so also configure the internal firewall (like pf or iptables) to firewall those ports from the residual of the operating system.
Massan is free, but consider contributing money to its developement: Bitcoin wallet address: 1MASSCANaHUiyTtR3bJ2sLGuMw5kDBaj4T
Masscan Installation
Using Masscan
Usage is similar to nmap. To scan a network segment for exactly about ports:
masscan -p80,8000-8100 10.0.0.0/8
That ascendancy will:
* Scan the 10.x.x.x subnet, all sixteen meg addresses
* Scans port eighty together with the attain 8000 to 8100, or 102 addresses total.
* Print output to <stdout> that tin live redirected to a file
To run across the consummate listing of options, utilization the --echo feature. This dumps the electrical flow configuration together with exits. This output tin live used every bit input dorsum into the program:
masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf
masscan -c xxx.conf --rate 1000
Getting output on Masscan
By default, Masscan produces fairly large text files, but it's slow to convert them into whatsoever other format. There are 5 supported output formats:
* xml: Just utilization the parameter -oX <filename>. Or, utilization the parameters --output-format xml together with --output-filename <filename>.
* binary: This is the Masscan builtin format. It produces much smaller files, so that when I scan the Internet my disk doesn't fill upwards up. They postulate to live parsed, though. The ascendancy occupation selection --readscan volition read binary scan files. Using --readscan amongst the -oX selection volition make a XML version of the results file.
* grepable: This is an implementation of the Nmap -oG output that tin live easily parsed past times command-line tools. Just utilization the parameter -oG <filename>. Or, utilization the parameters --output-format grepable together with --output-filename <filename>.
* json: This saves the results inwards JSON format. Just utilization the parameter -oJ <filename>. Or, utilization the parameters --output-format json together with --output-filename <filename>.
* list: This is a uncomplicated listing amongst i host together with port yoke per line. Just utilization the parameter -oL <filename>. Or, utilization the parameters --output-format list together with --output-filename <filename>. The format is:
<port state> <protocol> <port number> <IP address> <POSIX timestamp>
open tcp eighty XXX.XXX.XXX.XXX 1390380064
Performance testing on Masscan
To exam performance, run something similar the following:
masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11
The bogus --router-mac keeps packets on the local network segments so that they won't become out to the Internet.
You tin also exam inwards "offline" mode, which is how fast the plan runs without the transmit overhead:
masscan 0.0.0.0/4 -p80 --rate 100000000 --offline
This 2nd benchmark shows roughly how fast the plan would run if it were using PF_RING, which has close zilch overhead.
Banner checking on Masscan
Masscan tin practice to a greater extent than than exactly disclose whether ports are open. It tin also consummate the TCP connective together with interaction amongst the application at that port inwards club to catch uncomplicated "banner" information.
The occupation amongst this is that Masscan contains its ain TCP/IP stack split upwards from the organization you lot run it on. When the local organization receives a SYN-ACK from the probed target, it responds amongst a RST bundle that kills the connective earlier masscan tin catch the banner.
The easiest way to forestall this is to assign Masscan a split upwards IP address. This would expression similar the following:
masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200
The address you lot select has to live on the local subnet together with non otherwise live used past times exactly about other system.
In exactly about cases, such every bit WiFi, this isn't possible. In those cases, you lot tin firewall the port that Masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan nonetheless sees it since it bypasses the local stack. For Linux, this would expression like:
iptables -A INPUT -p tcp --dport 61000 -j DROP
masscan 10.0.0.0/8 -p80 --banners --source-port 61000
You in all likelihood desire to pick ports that don't conflict amongst ports Linux mightiness otherwise select for source-ports. You tin run across the attain Linux uses, together with reconfigure that range, past times looking inwards the file:
/proc/sys/net/ipv4/ip_local_port_range
On the latest version of Kali Linux (2018-August), that attain is 32768 to 60999, so you lot should select ports either below 32768 or 61000 together with above.
Setting an iptables dominion solely lasts until the adjacent reboot. You postulate to lookup how to relieve the configuration depending upon your distro, such every bit using iptables-save or iptables-persistant.
On Mac OS X together with BSD, at that spot are similar steps. To disclose out the ranges to avoid, utilization a ascendancy similar the following:
sysctl net.inet.ip.portrange.first net.inet.ip.portrange.last
On FreeBSD together with older MacOS, utilization an ipfw command:
sudo ipfw add together 1 deny tcp from whatsoever to whatsoever 40000 in
masscan 10.0.0.0/8 -p80 --banners --source-port 40000
On newer MacOS together with OpenBSD, utilization the pf (packet-filter) utility. Edit the file /etc/pf.conf to add together a occupation similar the following:
block inwards proto tcp from whatsoever to whatsoever port 40000
Then to enable the firewall, run the command: pfctrl -E
If the firewall is already running, together with so either reboot or reload the rules amongst the next command: pfctl -f /etc/pf.conf
Windows doesn't response amongst RST packets, so neither of these techniques are necessary. However, masscan is nonetheless designed to piece of work best using its ain IP address, so you lot should run that way when possible, fifty-fifty when its non strictly necessary.
The same affair is needed for other checks, such every bit the --heartbleed check, which is exactly a cast of banner checking.
Code Layout on Masscan
The file main.c contains the main() function, every bit you'd expect. It also contains the transmit_thread() together with receive_thread() functions. These functions bring been deliberately flattened together with heavily commented so that you lot tin read the blueprint of the plan only past times stepping line-by-line through each of these.
Asynchronous
This is an asynchronous design. In other words, it is to nmap what the nginx web-server is to Apache. It has split upwards transmit together with have threads that are largely independent from each other. It's the same variety of blueprint constitute inwards scanrand, unicornscan, together with ZMap.
Because it's asynchronous, it runs every bit fast every bit the underlying bundle transmit allows.
Portability
The code runs good on Linux, Windows, together with Mac OS X. All the of import bits are inwards criterion C (C90). It hence compiles on Visual Studio amongst Microsoft's compiler, the Clang/LLVM compiler on Mac OS X, together with GCC on Linux.
Windows together with Macs aren't tuned for bundle transmit, together with teach solely nearly 300,000 packets-per-second, whereas Linux tin practice 1,500,000 packets/second. That's in all likelihood faster than you lot desire anyway.
Safe code on Masscan
A bounty is offered for vulnerabilities, run across the VULNINFO.md file for to a greater extent than information.
This projection uses prophylactic functions similar strcpy_s() instead of dangerous functions similar strcpy().
This projection has automated unit of measurement regression tests (make regress).
Compatibility: A lot of attempt has gone into making the input/output expression similar nmap, which everyone who does port scans is (or should be) familiar with.
About the writer of Masscan
This tool created past times Robert Graham:
Email address: robert_david_graham@yahoo.com
Twitter account: @ErrataRob
0 comments:
Post a Comment