Jump to content
Nytro

masscan – The Fastest TCP Port Scanner

By Nytro, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

masscan is the fastest TCP port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

It produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it’s faster than these other scanners. In addition, it’s more flexible, allowing arbitrary address ranges and port ranges.

NOTE: masscan uses a custom TCP/IP stack. Anything other than simple port scans will cause conflict with the local TCP/IP stack. This means you need to either use the -S option to use a separate IP address, or configure your operating system to firewall the ports that masscan uses.

PF_RING – Beyond 2 million packets/second

To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as “PF_RING DNA” from PF_RING. Masscan doesn’t need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:

  • libpfring.so (installed in /usr/lib/libpfring.so)
  • pf_ring.ko (their kernel driver)
  • ixgbe.ko (their version of the Intel 10-gbps Ethernet driver)

You don’t need to build their version of libpcap.so.

When masscan detects that an adapter is named something like dna0 instead of something like eth0, it’ll automatically switch to PF_RING mode.

Usage

Usage is similar to nmap. To scan a network segment for some ports:

# masscan -p80,8000-8100 10.0.0.0/8

[TABLE=class: crayon-table]

[TR=class: crayon-row]

[TD=class: crayon-nums] 1

[/TD]

[TD=class: crayon-code]# masscan -p80,8000-8100 10.0.0.0/8

[/TD]

[/TR]

[/TABLE]

This will:

  • scan the 10.x.x.x subnet, all 16 million addresses
  • scans port 80 and the range 8000 to 8100, or 102 addresses total
  • print output to that can be redirected to a file

To see the complete list of options, use the –echo feature. This dumps the current configuration and exits. This output can be used as input back into the program:

# masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf # masscan -c xxx.conf --rate 1000

[TABLE=class: crayon-table]

[TR=class: crayon-row]

[TD=class: crayon-nums] 1

2

[/TD]

[TD=class: crayon-code]# masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf

# masscan -c xxx.conf --rate 1000

[/TD]

[/TR]

[/TABLE]

Banner checking

Masscan can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple “banner” information.

The problem with this is that masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner.

The easiest way to prevent this is to assign masscan a separate IP address. This would look like the following:

# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

[TABLE=class: crayon-table]

[TR=class: crayon-row]

[TD=class: crayon-nums] 1

[/TD]

[TD=class: crayon-code]# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

[/TD]

[/TR]

[/TABLE]

The address you choose has to be on the local subnet and not otherwise be used by another system.

In some cases, such as WiFi, this isn’t possible. In those cases, you can firewall the port that masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan still sees it since it bypasses the local stack. For Linux, this would look like:

# iptables -A INPUT -p tcp --dport 60000 -j DROP # masscan 10.0.0.0/8 -p80 --banners --source-port 60000

[TABLE=class: crayon-table]

[TR=class: crayon-row]

[TD=class: crayon-nums] 1

2

[/TD]

[TD=class: crayon-code]# iptables -A INPUT -p tcp --dport 60000 -j DROP

# masscan 10.0.0.0/8 -p80 --banners --source-port 60000

[/TD]

[/TR]

[/TABLE]

On Mac OS X and BSD, it might look like this:

# sudo ipfw add 1 deny tcp from any to any 60000 in # masscan 10.0.0.0/8 -p80 --banners --source-port 60000

[TABLE=class: crayon-table]

[TR=class: crayon-row]

[TD=class: crayon-nums] 1

2

[/TD]

[TD=class: crayon-code]# sudo ipfw add 1 deny tcp from any to any 60000 in

# masscan 10.0.0.0/8 -p80 --banners --source-port 60000

[/TD]

[/TR]

[/TABLE]

Windows doesn’t respond with RST packets, so neither of these techniques are necessary. However, masscan is still desigend to work best using its own IP address, so you should run that way when possible, even when its not strictly necessary.

The same thing is needed for other checks, such as the –heartbleed check, which is just a form of banner checking.

You can download masscan here:

1.0.3.zip

Or read more here.

Sursa: masscan - The Fastest TCP Port Scanner - Darknet - The Darkside

aelius Grand Master

aelius

Posted
Posted
2 hours ago, theeternalwanderer said:

Ce este ".ss"?

 

Un mass scanner facut in 2001 de Bagabontu, ce necesita uid/gid 0 (synscan). La vremea aia era bomboana de pe coliva, insa pustanii nestiind programare sau ce e ala socket, cred ca au descoperit pe dumnezeu cand il vad in 2017.

Sunt fel si fel de aratarii de oameni care cred ca daca sparg servere cu oarece tools, sunt si hackeri. 

  • Upvote 3

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...