### Multi-Adapter Scanning Source: https://context7.com/robertdavidgraham/masscan/llms.txt This example shows how to utilize multiple network adapters on a single machine for parallel scanning tasks. Each adapter can be assigned a specific shard of the scan, allowing for increased throughput. ```bash masscan 10.0.0.0/8 -p80 --adapter eth0 --shard 1/2 -oX eth0.xml & masscan 10.0.0.0/8 -p80 --adapter eth1 --shard 2/2 -oX eth1.xml & ``` -------------------------------- ### Banner Grabbing for Service Version Detection Source: https://context7.com/robertdavidgraham/masscan/llms.txt This example demonstrates how to use masscan to retrieve service banners from open ports. This information can be crucial for identifying service versions and potential vulnerabilities. ```bash # Banner grabbing for version detection masscan 10.0.0.0/8 -p22,80,443,3389 \ --banners \ --source-ip 192.168.1.200 \ -oX service_versions.xml ``` -------------------------------- ### Multi-Adapter PF_RING Scanning Source: https://context7.com/robertdavidgraham/masscan/llms.txt This example shows how to perform sharded scanning across multiple network adapters using PF_RING ZC. Each adapter handles a portion of the scan, maximizing performance on multi-NIC systems. ```bash # Multi-adapter PF_RING scanning masscan 0.0.0.0/0 -p80 --adapter zc:enp1s0 --shard 1/2 -oB adapter1.bin & masscan 0.0.0.0/0 -p80 --adapter zc:enp2s0 --shard 2/2 -oB adapter2.bin & ``` -------------------------------- ### IPv6 Target List Scanning Source: https://context7.com/robertdavidgraham/masscan/llms.txt This example shows how to scan IPv6 targets by providing a list of addresses and CIDR ranges in a file. Masscan reads this file using the --includefile option, enabling efficient scanning of large IPv6 address spaces. ```bash # Create IPv6 target list cat > ipv6_targets.txt << 'EOF' 2001:db8::1 2001:db8::2 2001:db8:1234::/64 2606:2800:220:1::/64 EOF # Scan from file masscan --includefile ipv6_targets.txt \ -p80,443,8080 \ --rate 10000 \ -oJ ipv6_results.json ``` -------------------------------- ### Advanced Protocol Scanning (UDP, SCTP, TCP/UDP Combo) Source: https://context7.com/robertdavidgraham/masscan/llms.txt Demonstrates scanning different protocols beyond standard TCP. It includes examples for UDP scans with common ports, SCTP scans on specific ports, and a combined TCP and UDP scan. ```bash # UDP scan with common ports masscan 10.0.0.0/8 -pU:53,123,161,500 --rate 10000 -oJ udp_scan.json # SCTP scan masscan 10.0.0.0/16 --sctp -p36412,2905 -oX sctp_scan.xml # Combined TCP and UDP scan masscan 10.0.0.0/8 -p80,443,U:53,U:161 --rate 50000 -oX combined.xml ``` -------------------------------- ### Masscan: Scan Entire Internet on Port 80 Source: https://github.com/robertdavidgraham/masscan/wiki/IP-address-target-range This command initiates a scan of the entire IPv4 address space (0.0.0.0/0) specifically targeting port 80. It's a basic example demonstrating Masscan's capability to cover all possible IP addresses. ```bash # masscan 0.0.0.0/0 -p 80,8080,3128 ``` -------------------------------- ### Newer MacOS/OpenBSD pf Rule for Masscan Banner Check Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md This example shows how to block incoming TCP traffic within a specified port range using `pf` on newer macOS and OpenBSD systems. This rule prevents the local stack from seeing the packets, allowing Masscan to capture banners. The rules are added to `/etc/pf.conf` and then enabled. ```bash block in proto tcp from any to any port 40000:40015 # Enable firewall: # pfctl -E # Or reload rules: # pfctl -f /etc/pf.conf ``` -------------------------------- ### DHCPv6 Range Scanning Source: https://context7.com/robertdavidgraham/masscan/llms.txt This example illustrates scanning a specific DHCPv6 range, typically used for dynamic address assignment. It targets common web ports (80, 443) within a large IPv6 subnet. ```bash # DHCPv6 range scanning (first 64k addresses) masscan 2001:db8:1234:5678::/112 -p80,443 --rate 50000 -oX dhcpv6.xml ``` -------------------------------- ### Linux iptables Rule for Masscan Banner Check Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md This example shows how to configure Linux iptables to drop packets on a specific port, preventing the local TCP/IP stack from interfering with Masscan's banner grabbing. The `--source-port` should be chosen carefully to avoid conflicts with the system's ephemeral port range. ```bash # iptables -A INPUT -p tcp --dport 61000 -j DROP # masscan 10.0.0.0/8 -p80 --banners --source-port 61000 ``` -------------------------------- ### Add Ports to Scan with Masscan Source: https://github.com/robertdavidgraham/masscan/wiki/ports This example illustrates how Masscan handles additive port specification. If a port parameter is specified a second time, the effective ports are combined. Here, ports 20-25 and port 80 will be scanned. ```bash # masscan -p20-25 --ports 80 ``` -------------------------------- ### Masscan: Scan a Single Host on Specific Ports Source: https://github.com/robertdavidgraham/masscan/wiki/IP-address-target-range This command scans a single IP address (192.168.1.2) for ports 80, 8080, and 3128. It's the simplest form of scanning, targeting a sole host. ```bash # masscan 192.168.1.2 -p80,8080,3128 ``` -------------------------------- ### Offline Performance Test Source: https://context7.com/robertdavidgraham/masscan/llms.txt This example performs an 'offline' scan, meaning masscan simulates sending packets without actually transmitting them on the network. This is useful for testing scanner performance and capabilities without impacting live systems. ```bash # Offline performance test (no actual transmission) masscan 0.0.0.0/4 -p80 --rate 100000000 --offline ``` -------------------------------- ### Masscan: Scan a Specific IP Range on Specific Ports Source: https://github.com/robertdavidgraham/masscan/wiki/IP-address-target-range This command scans a defined range of IP addresses (10.0.0.100 to 10.0.0.200) for ports 80, 8080, and 3128. It demonstrates how to specify a contiguous block of IP addresses for scanning. ```bash # masscan 10.0.0.100-10.0.0.200 -p80,8080,3128 ``` -------------------------------- ### Fuzzing HTTP with Masscan and AFL Source: https://github.com/robertdavidgraham/masscan/blob/master/doc/howto-afl.md This command demonstrates how to use Masscan with AFL to fuzz the HTTP protocol. It specifies reading traffic from a PCAP file, hardcoding TCP/IP stack parameters, and enabling banner retrieval for protocol interaction. This setup is crucial for testing Masscan's protocol parsing capabilities against AFL-generated inputs. ```bash bin/masscan --nobacktrace --adapter file:data/afl-http.pcap --source-ip 10.20.30.200 --source-port 6000 --source-mac 00-11-22-33-44-55 --router-mac c0-c1-c0-a0-9b-9d --seed 0 --banners -p80 74.125.196.147 --nostatus ``` -------------------------------- ### Masscan: Scan Private IP Ranges on Specific Ports Source: https://github.com/robertdavidgraham/masscan/wiki/IP-address-target-range This command scans multiple private IP address ranges (10.0.0.0/24, 192.168.0.0/16, 172.16.0.0/20) for ports 80, 8080, and 3128. It showcases the use of CIDR notation for targeted internal network scanning. ```bash # masscan 10.0.0.0/24 192.168.0.0/16 172.16.0.0/20 -p80,8080,3128 ``` -------------------------------- ### Configuration Management and Resume (Bash) Source: https://context7.com/robertdavidgraham/masscan/llms.txt Demonstrates how to save scan configurations to a file and resume interrupted scans. This allows for persistence and restarting scans without re-entering all parameters. State is saved automatically upon interruption. ```bash # Export current configuration masscan -p80,443 10.0.0.0/8 --echo > saved_config.conf # Modify and rerun with different rate masscan -c saved_config.conf --rate 50000 # Pause scan (Ctrl+C) - masscan saves state to paused.conf # Resume from saved state masscan -c paused.conf # Sample saved configuration: # rate = 100.00 # randomize-hosts = true # seed = 1234567890 # shard = 1/1 # # TARGET RANGES # range = 10.0.0.0-10.255.255.255 # # EXCLUDE RANGES # exclude = 10.0.0.0-10.0.0.255 # # OUTPUT # output-format = xml # output-filename = scan.xml ``` -------------------------------- ### Sharded Scanning Across Multiple Machines (Bash) Source: https://context7.com/robertdavidgraham/masscan/llms.txt Illustrates how to distribute scans across multiple machines or network adapters using sharding. This improves scalability and allows for parallel scanning efforts. Requires consistent seed and shard parameters for each instance. ```bash # Machine 1: Scan first shard (1 of 3) masscan 0.0.0.0/0 -p80 \ --rate 100000 \ --shard 1/3 \ --seed 1234567890 \ -oX shard1.xml ``` -------------------------------- ### Banner Grabbing and Firewall Configuration (Bash) Source: https://context7.com/robertdavidgraham/masscan/llms.txt Enables retrieving service banners by completing TCP connections, alongside instructions for configuring OS firewall rules (iptables on Linux, pf on macOS/BSD) to prevent interference. Supports various output formats like JSON and XML. ```bash # Linux: Block local TCP/IP stack interference with iptables iptables -A INPUT -p tcp --dport 61000 -j DROP masscan 10.0.0.0/8 -p80,443,22 \ --banners \ --source-port 61000 \ -oJ banners.json # Alternative: Use dedicated source IP masscan 10.0.0.0/8 -p80,443 \ --banners \ --source-ip 192.168.1.200 \ -oX banners.xml # macOS/BSD: Use pf packet filter echo "block in proto tcp from any to any port 40000:40015" >> /etc/pf.conf pfctl -E pfctl -f /etc/pf.conf masscan 10.0.0.0/8 -p80 --banners --source-port 40000 # Sample JSON output with banners: # [ # { "ip": "10.0.5.23", "timestamp": "1609459200", "ports": [ # {"port": 80, "proto": "tcp", "status": "open", # "banner": "HTTP/1.1 200 OK\r\nServer: nginx/1.18.0"} # ]}, # { "ip": "10.0.5.45", "timestamp": "1609459205", "ports": [ # {"port": 22, "proto": "tcp", "status": "open", # "banner": "SSH-2.0-OpenSSH_7.9"} # ]} # ] ``` -------------------------------- ### Output Format Conversion (Bash) Source: https://context7.com/robertdavidgraham/masscan/llms.txt Shows how to generate scan results in various formats including XML, JSON, grepable, list, and binary. It also covers converting binary scan files back into human-readable formats like XML. ```bash # Generate scan results in different formats masscan 10.0.0.0/24 -p1-1000 -oX scan.xml masscan 10.0.0.0/24 -p1-1000 -oJ scan.json masscan 10.0.0.0/24 -p1-1000 -oG scan.grep masscan 10.0.0.0/24 -p1-1000 -oL scan.list masscan 10.0.0.0/24 -p1-1000 -oB scan.bin # Convert binary format to XML masscan --readscan scan.bin -oX converted.xml # Sample list format output (scan.list): # open tcp 80 10.0.0.5 1609459200 # open tcp 443 10.0.0.5 1609459201 # open tcp 22 10.0.0.12 1609459205 # open tcp 3306 10.0.0.18 1609459210 # Sample grepable format (scan.grep): # Host: 10.0.0.5 () Ports: 80/open/tcp//http///, 443/open/tcp//https/// # Host: 10.0.0.12 () Ports: 22/open/tcp//ssh/// ``` -------------------------------- ### Simultaneous IP and Port Selection using Index Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Shows how to derive both an IP address and a port number from a single index variable by using division and modulus operations. This approach is used when scanning multiple ports across a range of IP addresses. ```c range = ip_count * port_count; for (i = 0; i < range; i++) { ip = pick(addresses, i / port_count); port = pick(ports, i % port_count); scan(ip, port); } ``` -------------------------------- ### Translating Index to IP Address with Pick Function Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Demonstrates how an index variable is converted into an IP address using a hypothetical 'pick' function, which selects an IP from a list of addresses based on the index. This is a core component of Masscan's target selection. ```c for (i = 0; i < range; i++) { ip = pick(addresses, i); scan(ip); } ``` -------------------------------- ### Basic Index Iteration for Scanning Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Illustrates a fundamental C-style loop for iterating through a range of targets and invoking a scan function for each index. This serves as the baseline for understanding Masscan's randomization process. ```c for (i = 0; i < range; i++) { scan(i); } ``` -------------------------------- ### Encrypted Index with Seed for Scanning Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Illustrates how a 'seed' or 'key' can be incorporated into the encryption function to generate a different, randomized scanning order each time. This is useful for reproducible or varied scanning patterns. ```c range = ip_count * port_count; for (i = 0; i < range; i++) { x = encrypt(seed, i); ip = pick(addresses, x / port_count); port = pick(ports, x % port_count); scan(ip, port); } ``` -------------------------------- ### Masscan Banner Check with Source IP (IPv6) Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md This command illustrates banner checking with Masscan using a specified source IP address for IPv6 targets. Similar to IPv4, it utilizes the `--banners` and `--source-ip` flags. The source IP must be valid and on the local subnet. ```bash # masscan 2a00:1450:4007:810::/112 -p80 --banners --source-ip 2603:3001:2d00:da00:91d7:b54:b498:859d ``` -------------------------------- ### Performance Test with Packet Statistics Source: https://context7.com/robertdavidgraham/masscan/llms.txt This command runs a scan with the --stats option enabled, providing real-time packet statistics at specified intervals. This is valuable for monitoring and analyzing the scanner's performance during a test. ```bash # Performance with packet statistics masscan 10.0.0.0/8 -p80 \ --rate 1000000 \ --stats \ --stats-interval 10 ``` -------------------------------- ### Sharded Scanning and Result Combination Source: https://context7.com/robertdavidgraham/masscan/llms.txt This section demonstrates how to divide a large scan across multiple machines using the --shard option and then combine the XML output files from each shard into a single file. This is useful for distributing the scanning load. ```bash masscan 0.0.0.0/0 -p80 \ --rate 100000 \ --shard 2/3 \ --seed 1234567890 \ -oX shard2.xml masscan 0.0.0.0/0 -p80 \ --rate 100000 \ --shard 3/3 \ --seed 1234567890 \ -oX shard3.xml # Combine results cat shard1.xml shard2.xml shard3.xml > complete_scan.xml ``` -------------------------------- ### PF_RING ZC High-Performance Scan Source: https://context7.com/robertdavidgraham/masscan/llms.txt This demonstrates configuring and using PF_RING ZC for high-speed network scanning, capable of 10Gbps+ throughput. It requires loading specific kernel modules and using the ZC interface. ```bash # Load PF_RING kernel module modprobe pf_ring # Load Intel 10gbps driver modprobe ixgbe # Scan using PF_RING ZC interface (10M+ pps capable) masscan 0.0.0.0/0 -p80,443 \ --adapter zc:enp1s0 \ --rate 10000000 \ -oB internet_scan.bin ``` -------------------------------- ### Masscan Banner Check with Source IP (IPv4) Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md This command demonstrates how to perform banner checking with Masscan using a specified source IP address for IPv4 targets. It requires the `--banners` flag and a `--source-ip` that is on the local subnet and not in use by other systems. ```bash # masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200 ``` -------------------------------- ### Test pf.conf Syntax Without Loading Rules Source: https://github.com/robertdavidgraham/masscan/wiki/macOS:-how-to-set-firewall-rules-to-prevent-RSTs This command checks the syntax of the /etc/pf.conf file for errors without actually loading the new firewall rules. It's a crucial step to ensure your configuration is valid before applying it. ```shell pfctl -vnf /etc/pf.conf ``` -------------------------------- ### Masscan Self-Test and Regression Testing Source: https://context7.com/robertdavidgraham/masscan/llms.txt This section covers built-in testing procedures for masscan. It includes running a quick self-test, performing a full regression test after building from source, and testing specific components like randomization and configuration parsing. ```bash # Run built-in self-test masscan --selftest # Build and test from source make clean make -j8 make regress # Test specific functionality masscan --regress # Verify randomization algorithm masscan --test-random # Check configuration parsing masscan -p80 10.0.0.0/8 --echo ``` -------------------------------- ### Load Firewall Rules from pf.conf Source: https://github.com/robertdavidgraham/masscan/wiki/macOS:-how-to-set-firewall-rules-to-prevent-RSTs This command loads the firewall rules defined in the /etc/pf.conf file into the active pf firewall. After this command, the rules you added will be enforced. ```shell pfctl -f /etc/pf.conf ``` -------------------------------- ### Mixed IPv4 and IPv6 Target List Scanning Source: https://context7.com/robertdavidgraham/masscan/llms.txt This demonstrates scanning a file containing a mix of both IPv4 and IPv6 addresses and subnets. Masscan can parse and process such combined lists for comprehensive network discovery. ```bash # Mixed IPv4 and IPv6 target file cat > mixed_targets.txt << 'EOF' 10.0.0.0/24 192.168.1.0/24 2001:db8::/48 2606:2800:220:1::/64 EOF masscan --includefile mixed_targets.txt -p80,443 -oX mixed_scan.xml ``` -------------------------------- ### Local Network Performance Test with Bogus MAC Source: https://context7.com/robertdavidgraham/masscan/llms.txt This test simulates network traffic locally by using a bogus MAC address for the router. Packets are generated but do not leave the local machine, allowing for performance benchmarking without external network activity. ```bash # Local network test with bogus MAC (packets stay local) masscan 0.0.0.0/4 -p80 \ --rate 100000000 \ --router-mac 66-55-44-33-22-11 ``` -------------------------------- ### Masscan File Output to XML Conversion Source: https://github.com/robertdavidgraham/masscan/blob/master/doc/howto-afl.md Demonstrates a two-step process to convert Masscan's proprietary binary scan format (.mass) to XML format. This involves first outputting the scan to a .mass file and then reading that file to convert it to XML. ```shell masscan -ob scan.mass masscan --readscan scan.mass -oX scan.xml ``` -------------------------------- ### Basic Network Scan (Bash) Source: https://context7.com/robertdavidgraham/masscan/llms.txt Scans specified IPv4 and IPv6 subnets for a range of ports. It's useful for internal network reconnaissance or targeting specific IP ranges. The output lists discovered open ports. ```bash # Scan 10.0.0.0/8 subnet for port 80 and ports 8000-8100 masscan -p80,8000-8100 10.0.0.0/8 # Scan both IPv4 and IPv6 simultaneously masscan -p80,8000-8100 10.0.0.0/8 2603:3001:2d00:da00::/112 # Expected output (to stdout): # Discovered open port 80/tcp on 10.0.45.23 # Discovered open port 8080/tcp on 10.0.67.89 # Discovered open port 80/tcp on 2603:3001:2d00:da00::5 ``` -------------------------------- ### FreeBSD/Older MacOS ipfw Rule for Masscan Banner Check Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md This command configures `ipfw` on FreeBSD and older macOS systems to deny incoming TCP traffic on a specific port, thus bypassing the local TCP/IP stack for Masscan banner grabbing. The port used should be outside the system's ephemeral port range. ```bash # sudo ipfw add 1 deny tcp from any to any 40000 in # masscan 10.0.0.0/8 -p80 --banners --source-port 40000 ``` -------------------------------- ### Randomized IP and Port Selection using Encryption Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Explains how Masscan employs an encryption function to randomize the index variable before selecting IP addresses and ports. This ensures a more even distribution of traffic across targets, preventing overwhelming specific network segments. ```c range = ip_count * port_count; for (i = 0; i < range; i++) { x = encrypt(i); ip = pick(addresses, x / port_count); port = pick(ports, x % port_count); scan(ip, port); } ``` -------------------------------- ### Display Current Firewall Rules Source: https://github.com/robertdavidgraham/masscan/wiki/macOS:-how-to-set-firewall-rules-to-prevent-RSTs This command displays the currently active firewall ruleset. It's used to verify that the rules added from /etc/pf.conf have been successfully loaded and are visible. ```shell pfctl -s rules ``` -------------------------------- ### High-Speed Internet Scan with Rate Limiting (Bash) Source: https://context7.com/robertdavidgraham/masscan/llms.txt Performs an Internet-wide scan with controlled packet transmission rates and exclusion lists. This is suitable for large-scale scans where network impact needs to be managed. Results can be saved in XML format. ```bash # Scan entire IPv4 Internet with rate limiting and exclusions masscan 0.0.0.0/0 -p80,443 \ --rate 100000 \ --excludefile /etc/masscan/exclude.conf \ -oX results.xml # Using configuration file approach cat > scan.conf << 'EOF' # Internet-wide HTTPS scan rate = 100000.00 output-format = xml output-filename = scan.xml ports = 443 range = 0.0.0.0-255.255.255.255 excludefile = /etc/masscan/exclude.conf EOF masscan -c scan.conf # Sample exclude.conf content: # 10.0.0.0/8 # 192.168.0.0/16 # 172.16.0.0/12 # 127.0.0.0/8 ``` -------------------------------- ### Retransmission Interval Calculation Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Shows a simple method for calculating the interval between retransmitted packets. It uses the 'rate' variable (packets per second) to determine an appropriate delay, aiming to avoid sending consecutive packets too close together. ```c ip = pick(addresses, i + rate); scan(ip); ``` -------------------------------- ### Enable the pf Firewall Source: https://github.com/robertdavidgraham/masscan/wiki/macOS:-how-to-set-firewall-rules-to-prevent-RSTs This command enables the Packet Filter (pf) firewall on macOS. It must be run before loading new rulesets to ensure the firewall is active and processing traffic. ```shell pfctl -e ``` -------------------------------- ### Test Masscan with Banners Source: https://github.com/robertdavidgraham/masscan/wiki/macOS:-how-to-set-firewall-rules-to-prevent-RSTs This command runs Masscan against a target IP address (10.0.0.50) on port 80, attempting to retrieve banners. Successful banner retrieval indicates that the firewall and Masscan configurations are working correctly. ```shell masscan 10.0.0.50 -p80 --banners ``` -------------------------------- ### Specify Ports to Scan with Masscan Source: https://github.com/robertdavidgraham/masscan/wiki/ports This command demonstrates how to specify a range of ports (20-25) and an individual port (80) for Masscan to scan. It utilizes the '-p' flag for port specification. ```bash # masscan -p20-25,80 ``` -------------------------------- ### Masscan Local Network Performance Test Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Tests Masscan's performance by sending a high rate of packets to a specified port on a broad IP range. The `--router-mac` option is used to keep traffic on the local network, preventing it from going to the internet. This is useful for assessing local network throughput. ```bash $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11 ``` -------------------------------- ### Masscan Offline Performance Test Source: https://github.com/robertdavidgraham/masscan/blob/master/README.md Tests Masscan's performance in offline mode, which measures the program's speed without network transmission overhead. This benchmark provides an estimate of the program's raw processing speed, similar to how it would perform with PF_RING. It's useful for understanding the software's inherent performance. ```bash $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline ``` -------------------------------- ### Run Masscan Selftest Source: https://github.com/robertdavidgraham/masscan/wiki/Regression-testing-(selftest) Executes a regression and unit test suite covering over 90% of Masscan's code paths. This is an offline test and does not generate any network packets. It should be run after building Masscan. ```bash masscan --selftest ``` -------------------------------- ### Heartbleed Vulnerability Scan Source: https://context7.com/robertdavidgraham/masscan/llms.txt This command specifically targets the Heartbleed vulnerability by scanning port 443 with the --heartbleed flag. It also sets a custom source port to potentially evade detection. ```bash # Heartbleed vulnerability check (requires banner checking setup) masscan 10.0.0.0/8 -p443 \ --heartbleed \ --source-port 61000 \ -oX heartbleed.xml ```