One of my favorite sub-reddits is /r/coolgithubprojects. I check it out a few times a week looking for interesting open source projects. One interesting project that I recently found is called MASSCAN and claims to be able to scan, as in port scan, the entire internet in 5 minutes. It works in a similar way to nmap. I thought I’d try it out and show you the results.
Install
Pretty simple ubuntu install, didn’t run into any issues and it compiled quickly. I simply followed the instructions for ubuntu in the readme. I used one of my medium instances on ec2.
Run
time ./masscan -p80 10.0.0.0/8 --max-rate 100000 --output-format list --output-filename results.txt
Under these settings, it should be transmitting 100,000 packets/second to the entire 10.x.x.x subnet, all 16 million addresses, and output a list of hosts with port 80 responding to results.txt
Results
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2017-01-19 16:42:20 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 16777216 hosts [1 port/host]
real 7m42.419s
user 0m6.103s
sys 0m10.358s
Output – results.txt
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2017-01-19 16:42:20 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 16777216 hosts [1 port/host] real 7m42.419s user 0m6.103s sys 0m10.358s
Output – results.txt
Masscan ran for exactly 7 minutes 42 seconds. At the end, the results.txt file was empty. So not sure what I did wrong, could be getting blocked at these packets per second on the amazon ec2 network. But there should have been 30-50 or so hosts with port 80 up in a mix of local and WAN hosts. Comment if you know what’s wrong. I’d love to see someone else’s results.
Config File
# resume information resume-index = 3687 rate = 100.00 randomize-hosts = true seed = 4219316085641713192 shard = 1/1 # ADAPTER SETTINGS adapter = adapter-ip = 10.3.12.4 adapter-mac = 00:00:00:00:00:00 router-mac = 00:00:00:00:00:00 # OUTPUT/REPORTING SETTINGS output-format = unknown(0) show = open,, output-filename = rotate = 0 rotate-dir = . rotate-offset = 0 rotate-filesize = 0 pcap = # TARGET SELECTION (IP, PORTS, EXCLUDES) retries = 0 ports = 80 range = 10.0.0.0/8 capture = cert nocapture = html nocapture = heartbleed min-packet = 60
You know 10/8 is not routed/private?
Hi – yes, it’s a multi-datacenter private cloud network with 200 or so hosts all over 10/8