Shulou(Shulou.com)06/01 Report--

Masscan: the fastest Internet IP port scanner

Masscan claims to be the fastest Internet port scanner, which can sweep the Internet in as little as six minutes.

The scan result of masscan is similar to that of nmap (a famous port scanner). Internally, it is more like scanrand, unicornscan, and and ZMap, using asynchronous transmission. The main difference between it and these scanners is that it is faster than these scanners. Moreover, masscan is more flexible, allowing you to customize any address range and port range.

Installation configuration

On Debian/Ubuntu systems, the installation method is as follows:

$sudo apt-get install git gcc make libpcap-dev$ git clone https://github.com/robertdavidgraham/masscan$ cd masscan$ make

Note: the executable program after installation is in masscan/bin.

You can also use multithreading to speed up compilation make-j

PF_RING

If you want to achieve speeds of more than 2 million per second, you need an Intel 10-Gbps network card and a special driver called PF_RING DNA (http://www.ntop.org/products/pf_ring/)). Masscan uses PF_RING instead of rebuilding, you just need to create the following components:

Libpfring.so (installed on / usr/lib/libpfring.so) pf_ring.ko (pf_ring 's own kernel driver) ixgbe.ko (Intel 10-gbps Nic driver) you don't want to build your own libpcap.so

When masscan detects that the network card is dna0, it will automatically switch to PF_RING mode.

Self-test

When the installation is complete, you can test whether the installation is successful:

$make regressbin/masscan-regressselftest: success! Usage

The method is similar to nmap, scanning specified ports in a specified range of network segments

# masscan-p80 8080-8100 10.0.0.0 Universe 8

This command will do the following:

1. Scan the 10.x.x.x subnet, there are about 16 million addresses

2. Scan port segments in the range of ports 80 and 8000-8100

3. Print the result to standard output, or redirect to a file

Alternatively,-echo outputs the current configuration to a configuration file and uses-c to make the configuration file for scanning

# masscan-p80 xxx.conf 8000-8100 10.0.0.0 echo 8-echo > xxx.conf# masscan-c xxx.conf-- rate 1000Banner get

Masscan doesn't just test whether the port is open, it can also get the Banner information of the target application while completing the TCP connection.

# masscan 10.0.0.0 masscan 8-p80-banners-source-ip x.x.x.x

This command means to scan the open information on port 80 of the 10.x.x.x segment and get the banner information. -source-ip is the specified source IP. This ip must specify an independent and valid IP address.

You can configure a firewall to prevent masscan from returning information.

Linux can be configured in this way

# iptables-An INPUT-p tcp-- dport 60000-j DROP# masscan 10.0.0.0 8-P80-- banners-- source-port 60000

MAC OS X and BSD can be configured like this

# sudo ipfw add 1 deny tcp from any to any 60000 in# masscan 10.0.0.0swap 8-p80-- banners-- source-port 60000

You can also check for other types of information, such as cardiac bleeding vulnerabilities-heartbleed, in the same way as getting banner

Scan the whole network

You can initiate a scan of the entire Internet with the following commands

# masscan 0.0.0.0amp 0-p0-65535

Sometimes scanning the Internet may cause you some trouble, and you may be invited to tea. Therefore, we can set the blacklist to make the scanner ignore some network segments when scanning. The syntax is as follows:

# masscan 0.0.0.0amp 0-p0-65535-- excludefile exclude.txt

You can also output the scan results to a specified file instead of the command line.

# masscan 0.0.0.0amp 0-p0-65535-oX scan.xml

This command saves the results of the scan in a XML file

The current scanner uses the default rate of 100 packets per second, which needs to be improved if it is to scan the whole network.

# masscan 0.0.0.0 amp 0-p0-65535-max-rate 100000

This command will scan at a rate of 100000 packets per second

The above commands may be a bit cumbersome to enter, and we can create a configuration file and then run it by loading the configuration file. The contents of the configuration file are as follows:

Rate = 100000output-format = xxxoutput-status = alloutput-filename = xxx.xxxports = 0-65535range = 0.0.0.0-255.255.255.255excludefile = exclude.txt

When scanning, load the configuration file with-c, so that you can save a lot of effort by scanning repeatedly.

Result output

There are five main output formats

The default format of XML is specified using-oX or-output-format xml and-output-filename

Binary masscan built-in format

The grepable nmap format is specified using-oG or-output-format grepable and-output-filename

Json is specified using-oJ or-output-format json and-output-filename

List a simple list of one host port pair per line. Specify using-oL or-output-format list and-output-filename

Transmission speed

The packet sending speed of masscan is very fast. In windows, its packet sending speed can reach 300000 packets per second; in Linux, it can reach 1.6 million packets per second. Masscan randomly selects the target IP when scanning, so it does not put pressure on the remote host.

By default, masscan sends packets at a speed of 100 packets per second. To improve the speed, it can be set to-rate 100000.

Detailed parameters

There are three valid formats for IP address range: 1, separate IPv4 address 2, range address 3 similar to "10.0.0.1-10.0.0.233", and CIDR address similar to "0.0.0.0Uniplet0". Multiple targets can be scanned with the designated port-p separated by Duhao-- banners to get banner information. A small number of protocols are supported-rate specifies the rate at which packets are sent-c, conf reads the configuration file for scanning-echo redirects the current configuration to a configuration file-e -- adapter specifies the interface name of the network card used to send the package-- adapter-ip specifies the IP address of the packet-- adapter-port specifies the source port of the packet-- adapter-mac specifies the source MAC address of the packet-- router-mac designated gateway MAC address-- exclude IP address range blacklist. Prevent masscan scanning-excludefile specifies IP address range blacklist file-includefile,-iL reads a range list to scan-ping scan should contain ICMP echo request-append-output output to file in attached form-iflist lists available network interfaces, then exit-number of retries sent by retries In 1 second interval-- nmap prints information about nmap compatibility-- http-user-agent sets the value of the user-agent field-- show [open,close] tells the port status to be displayed, the default is to display the open port-- noshow [open,close] disables the port status display-- pcap will store the received packets in libpcap format-- regress runs the regression test. Test whether the scanner is working properly-ttl specifies the TTL value of outgoing packets, which defaults to 255

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.