MasScan: One of the FASTest TCP port scanners!

Cyber Alien January 27, 2021

 


INTRO:

This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.

Internally, it uses asynchronous tranmissions, similar to port scanners like scanrand, unicornscan, and ZMap. It's more flexible, allowing arbitrary port and address ranges.

Note: MasScan uses a custom TCP/IP stack. So, if you’re planning to do some complex port scans you’ll probably cause conflict with your local port. To avoid this, use the -S option to use a separate IP address, or configure your OS to firewall the ports that masscan uses.

Differences between nmap and masscan

They are similar, but not identical. Main differences:

  • no default ports to scan, you must specify -p <ports>
  • target hosts are IP addresses or simple ranges, not DNS names, nor the funky subnet ranges nmap can use (like 10.0.0-255.0-255).

masscan & PF_RING — Beyond 2 million packets/second

To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as “PF_RING DNA” from http://www.ntop.org/products/packet-capture/pf_ring/. MasScan doesn’t need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:

  • libpfring.so (installed in /usr/lib/libpfring.so)
  • pf_ring.ko (their kernel driver)
  • ixgbe.ko (their version of the Intel 10-gbps Ethernet driver)

You don’t need to build their version of libpcap.so.

When MasScan detects that an adapter is named something like dna0 instead of something like eth0, it’ll automatically switch to PF_RING mode.

How to use MasScan for TCP scanning

Usage is similar to nmap. To scan a network segment for some ports:

$ masscan -p80,8000–8100 10.0.0.0/8

This will:

  • scan the 10.x.x.x subnet, all 16 million addresses
  • scans port 80 and the range 8000 to 8100, or 102 addresses total
  • print output to that can be redirected to a file

To see the complete list of options, use the –echo feature. This dumps the current configuration and exits. This output can be used as input back into the program:

$ masscan -p80,8000–8100 10.0.0.0/8 — echo > xxx.conf # masscan -c xxx.conf — rate 1000 
$ masscan -p80,8000–8100 10.0.0.0/8 — echo > xxx.conf 
$ masscan -c xxx.conf — rate 1000
Installing on Debian/Ubuntu:
$ sudo apt-get install git gcc make libpcap-dev
$ cd Downloads
$ tar xf massscan-1.0.4
$ cd masscan-1.0.4
$ make
After building, the program will be located in masscan/bin subdirectory. But, if you want, you can install it elsewhere on the system manually. Just copy it to something like /usr/local/bin.
The building will go a lot faster If you use multi-threaded build:
$ make -j
Download here

































0
Comments