Scanning with Masscan

Masscan: Lightning-Fast Port Scanning

Masscan is an extremely fast port scanner designed for large-scale reconnaissance. It can scan the entire internet in minutes and comes pre-installed in Kali Linux. Unlike Nmap, which provides in-depth scanning and scripting capabilities, Masscan focuses purely on speed and efficiency.

How Masscan Differs from Nmap

Feature
Nmap
Masscan

Default ports

Scans top 1000 by default

No defaults, must use -p

DNS resolution

Supports DNS and CIDR notations

IP addresses only (no DNS or advanced ranges)

Scan type

Multiple scan types (-sS, -sT, -sU, etc.)

Always uses SYN scan (-sS)

Ping before scan

Pings by default

Does not ping targets (-Pn always enabled)

DNS

Resolves by default

No DNS resolution (-n enforced)

Host order

Linear unless randomized

Hosts are randomized

Packet sending

OS TCP/IP stack

Uses its own TCP/IP stack and sends raw packets (--send-eth)

Basic Usage of Masscan

Scan a target IP range on a specific port:

masscan 192.168.1.0/24 -p80

Scan multiple ports (e.g., 80, 443, 22):

masscan 10.0.0.0/16 -p80,443,22

Scan all 65,535 ports of a single IP:

masscan 192.168.1.100 -p0-65535

You must always specify ports with -p, unlike Nmap.

By default, Masscan cannot perform banner grabbing reliably due to how it interacts with the system’s TCP/IP stack. Since it uses its own custom TCP/IP stack, the local operating system may terminate connections before Masscan can collect banner data.

Workaround for Banner Grabbing

  1. Block your system’s response to the SYN-ACK packet.

  2. Run Masscan using a specific source port.

Example Setup:

iptables -A INPUT -p tcp --dport 61000 -j DROP
masscan 10.0.0.0/8 -p80 --banners --source-port 61000

What This Does:

  • iptables drops incoming packets to port 61000 so your OS won’t reply with a RST.

  • Masscan, using --banners, can then grab banners from services like web servers.

  • --source-port sets Masscan to use port 61000, matching the rule you set.

This technique prevents the local OS from interfering and allows Masscan to gather banner data more reliably.

Masscan Practicals

1. Prevent Local RST Packets (Enable Banner Grabbing)

iptables -A INPUT -p tcp --dport 61000 -j DROP

Explanation: This command blocks inbound TCP traffic on port 61000, preventing your Linux system from replying with RST (Reset) packets.

  • Why it's needed: Masscan uses its own TCP/IP stack. However, your local system may send RSTs before Masscan can complete banner grabbing.

  • This rule allows Masscan to capture the server's banner (e.g., HTTP headers, FTP welcome messages) without interruption.

2. Scan Subnet and Grab Banners Using a Custom Source Port

masscan 192.168.1.0/24 -p80 --banners --source-port 61000

Explanation: Scans all hosts in the 192.168.1.0/24 subnet on port 80 and attempts to retrieve service banners.

  • -p80: Specifies HTTP port.

  • --banners: Enables banner grabbing (tries to read basic service info).

  • --source-port 61000: Matches the port you filtered earlier, enabling clean banner capture by avoiding RST interference from the local system.

Note: Your original command was missing the port after -p. This has been corrected.

3. Scan with a Spoofed Source IP

masscan 192.168.1.0/24 -p80 --banners --source-ip 192.168.1.5

Explanation: Performs the same scan as above, but uses 192.168.1.5 as the source IP.

  • --source-ip: Useful in environments where you want to impersonate a specific internal IP, or conduct scans via a certain interface.

Caution:

  • This requires appropriate network configuration.

  • Spoofed IPs must be routable, or Masscan will not receive responses.

Pro Tip for Bug Bounty & Red Teamers

Use Masscan to quickly discover open ports across large IP ranges, and export the results to feed into Nmap for deeper scanning:

masscan -p80,443 1.2.3.0/24 --rate=10000 -oG masscan-results.txt

Then pass the results to Nmap using:

grep 'Ports:' masscan-results.txt | cut -d' ' -f2 > targets.txt
nmap -iL targets.txt -sV -sC

Masscan – Bottom Line

While Masscan is incredibly fast and efficient for large-scale port scanning, it comes with a few important considerations:

  • Learning Curve: Masscan is not as beginner-friendly as Nmap. Its syntax and raw TCP/IP stack require a solid understanding of networking concepts.

  • Documentation Is Key: Carefully reading the official documentation is essential to avoid misconfigurations or unexpected behavior.

  • Exceptional Speed: When properly configured, Masscan can scan millions of IPs and ports in seconds. It's ideal for broad, fast reconnaissance.

  • Banner Grabbing Limitations: While it supports banner grabbing, the results are not as reliable or detailed as Nmap’s service detection capabilities. This is due to how Masscan handles connections independently of the system’s TCP/IP stack.

Recommendation: Use Masscan for initial reconnaissance (especially in large IP ranges), and follow up with Nmap for in-depth scanning and analysis.

PreviousScanning with NmapNextScanning with Netcat

Last updated