masscan | Cheatsheet¶

Install net-analyzer/masscan

Gentoo

emerge --ask net-analyzer/masscan

Testing --rate speeds

Slow speed - 10 packets (~1kbit)Slow speed - 10 packets (~1kbit)Medium speed - 100 packets (~6-7KB/s)Medium speed - 1000 packets (~66KB/s)Medium speed - 10000 packets (~655kb/s)Medium speed - 10000 packets (~6mb/s)Max speed - 1000000 (~37mb/s)

masscan 90.224.0.0-90.239.255.255 \
    --port 80 \
    --banner \
    --exclude 255.255.255.255 \
    -vvv \
    --max-rate 1 \
    --http-user-agent "(Amiga  v1; Win64; x64; rv:67.0)"

 masscan 90.224.0.0-90.239.255.255 \
    --port 80 \
    --banner \
    --exclude 255.255.255.255 \
    -vvv \
    --max-rate 10 \
    --http-user-agent "(Amiga  v1; Win64; x64; rv:67.0)"

 masscan 90.224.0.0-90.239.255.255 \
    --port 80 \
    --banner \
    --exclude 255.255.255.255 \
    -vvv \
    --max-rate 100 \
    --http-user-agent "(Amiga  v1; Win64; x64; rv:67.0)"

 masscan 90.224.0.0-90.239.255.255 \
    --port 80 \
    --banner \
    --exclude 255.255.255.255 \
    -vvv \
    --max-rate 1000 \
    --http-user-agent "(Amiga  v1; Win64; x64; rv:67.0)"

masscan 90.224.0.0-90.239.255.255 \
    --port 80 \
    --banner \
    --exclude 255.255.255.255 \
    -vvv \
    --max-rate 10000 \
    --http-user-agent "(Amiga  v1; Win64; x64; rv:67.0)"

masscan 90.224.0.0-90.239.255.255 \
    --port 80 \
    --banner \
    --exclude 255.255.255.255 \
    -vvv \
    --max-rate 100000 \
    --http-user-agent "(Amiga  v1; Win64; x64; rv:67.0)"

masscan 90.224.0.0-90.239.255.255 \
    --port 80 \
    --banner \
    --exclude 255.255.255.255 \
    -vvv \
    --max-rate 1000000 \
    --http-user-agent "(Amiga  v1; Win64; x64; rv:67.0)"

Print to stdout¶

masscan 0.0.0.0/0 -p0-65535 --max-rate 100000 -oG -

Print to stdout: `IP: xx.xx.xx.xx up`¶

masscan 0.0.0.0/0 -p0-65535 --max-rate 100000 -oG - | awk '/open/ {print "IP:", $4, "up"}'

Print "UP" in green for hosts with open ports and "CLOSED" in red for hosts with closed ports¶

masscan 0.0.0.0/0 -p0-65535 --max-rate 100000 -oG - | awk '\
    /open/ {
        print "IP:", $4, "\033[0;32mUP\033[0m"
    }
    /closed/ {
        print "IP:", $4, "\033[0;31mCLOSED\033[0m"
    }'

Print "OPEN" and "CLOSED" with colorization¶

masscan 0.0.0.0/0 -p0-65535 --max-rate 100000 -oG - | awk '\
    /\/closed\// {
        sub(/\/.*$/, "", $0);
        print $4 ":" $7 "\033[0;31mCLOSED\033[0m"
    } \
    /\/open\// {
        sub(/\/.*$/, "", $0);
        print $4 ":" $7 "\033[0;32mOPEN\033[0m"
    }'

Generate Colorful Output for Open and Closed Ports¶

masscan 0.0.0.0/0 -p0-65535 --max-rate 100000 -oG - | awk '\
    /\/closed\// {
        sub(/\/.*$/, "", $0);
        color = int(rand() * 256);
        printf "\033[38;5;%dm%s:%s\033[0m closed\n", color, $4, $7
    } \
    /\/open\// {
        sub(/\/.*$/, "", $0);
        color = int(rand() * 256);
        printf "\033[38;5;%dm%s:%s\033[0m open\n", color, $4, $7
    }'

Print `ip:port` and no status¶

masscan 0.0.0.0/0 -p0-65535 --max-rate 100000 -oG - | awk '\
    /\/closed\// {
        sub(/\/.*$/, "", $0);
        print $4 ":" $7 "\033[0;31m\033[0m"
    } \
    /\/open\// {
        sub(/\/.*$/, "", $0);
        print $4

 ":" $7 "\033[0;32m\033[0m"
    }' | awk -F':' '{print $1 ":" $2}'

Print `ip:port` from open matches only¶

masscan 0.0.0.0/0 -p0-65535 --max-rate 100000 -oG - | awk '\
    /\/open\// {
        sub(/\/.*$/, "", $7)
        print $4 ":" $7
    }'

Scan target specification¶

masscan 10.0.0.1 
masscan 10.0.0.0/24 192.168.1.0/24

Exclude IP addresses from file¶

masscan 10.0.0.1/24 --excludeFile=foo.txt

Exclude a single IP from the scan¶

masscan 180.215.0.0/16 --exclude=180.215.122.120

Port specification with examples¶

masscan 10.0.0.0.1 -p 80
masscan 10.0.0.0.1 -p 0-65535
masscan 10.0.0.0.1 -p 80,443

UDP Scan¶

masscan 10.0.0.0.1 -pU 53

Scan in offline mode¶

masscan 0.0.0.0/24 --offline

Using the rate to send X packets per second¶

masscan 10.0.0.1/24 --rate 10000

Scan the internet at super high speeds¶

masscan 0.0.0.0/0 -p5900 -vvv --banner --exclude 255.255.255.255 --max-rate 100000 --open-only

Scan the internet at super speed but only print open ports¶

masscan 0.0.0.0/0 -p5900 -vvv --banner --exclude 255.255.255.255 --max-rate 100000 --open-only

You can use the `--source-ip` option to assign another IP and prevent¶

masscan 10.0.0.1 --banners

Assign masscan to another IP¶

masscan 10.0.0.1 --source-ip 192.168.1.200

Include a ping¶

masscan 10.0.0.1 --ping

Change the default user agent¶

masscan 10.0.0.1 --http-user-agent <user-agent>

Report only open ports¶

masscan 10.0.0.1 --open-only

Save sent packet in PCAP¶

masscan 10.0.0.1 --pcap foo.pcap

Print packets in terminal (okay at low rates but can overwhelm the terminal at high rates)¶

masscan 10.0.0.1 --packet-trace

Output in binary mode¶

massscan 10.1.1.1/24 -p 80 -oB scan.bin

Output in XML format¶

massscan 10.1.1.1/24 -p 80 -oX foo.xml

Output in grepable format¶

massscan 10.1.1.1/24 -p 80 -oG grep.txt

Output in JSON format¶

massscan 10.1.1.1/24 -p 80 -oJ foo.json

Output in simple list format¶

massscan 10.1.1.1/24 -p 80 -oL foo.list

Read a binary output and write it to the console¶

masscan --readscan bin-test.scan

Read a binary scan and convert it to another format¶

masscan --readscan bin-test.scan -oX bin-test.xml

Print only open ports¶

masscan 0.0.0.0/0 -p22 --banner --max-rate 10000 --exclude 255.255.255.255  
    --http-user-agent "Microsoft (Amiga  v1; Win64; x64; rv:67.0) Gecko/20100101 RedFox/1.0" --open-only

Complete commands¶

masscan 10.1.1.1/24 -p 0-65535 \
    --rate 1000000 \
    --open-only \
    --http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" \
    -oL "output.txt"

Multiple target-specific scan¶

masscan <target1> <target2> <target3>  -p 80,433 \
    --rate 100000 --banners --open-only \
    --http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" \
    --source-ip 192.168.100.200 -oL "output.txt"

masscan <target> -p 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 \
    --http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" \
    --rate 100000 --oL "output.txt"

sudo masscan 0.0.0.0/16 -p 22 --rate 2000 -oX output_port_22.xml