Masscan is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine. This is thanks to it being written in C, having its own ad-hoc TCP/IP stack and asynchronous transmission similar to port scanners like scanrand, unicornscan, and ZMap.
Masscan is the next tool on our list that can be used to scan for IPv6 addresses for open ports and to discover services running on them. Because of a custom ad hoc TCP/IP stack, it is recommended to set source IP address and the port number to prevent interference from the local operating system stack, when performing complex scans. Like nmap, masscan allows you to set source IP and port addresses using command line arguments.
Masscan is an extremely fast port scanner capable of scanning both IPv4 and IPv6 addresses. It finds its usage mostly in research projects to map services around the Internet and given how fast it can scan hosts, it can honestly be an overkill to scan a few hosts with masscan :)
Masscan is also capable of some level of “service detection” as it can also complete an initiated TCP connection and interact with the app/service at that port in order to grab simple "banner" information. This requires prepping the system so that masscan can intercept the responses instead of the host system’s networking stack. For additional details to do proper banner grabbing, take a look at the documentation at https://github.com/robertdavidgraham/masscan#banner-checking
Masscan supports banner checking on the following protocols:
Note: As is with any security software, make sure that the scans are conducted on the networks where you are allowed to do so with appropriate permissions.
Before we begin
Like any other IPv6 scanning tool, your system needs to support IPv6 in order to utilise Masscan’s scanning capabilities. To verify that your system and network are properly configured to have IPv6 access, you can run either of the following commands:
1. ip -6 addr
2. ifconfig | grep inet6
Setting up Masscan
Masscan runs with no issues on most Linux systems. On Debian/Ubuntu, you can simply clone the repo and build the binary using a C compiler like gcc.
sudo apt-get --assume-yes install git make gcc
git clone https://github.com/robertdavidgraham/masscan
A very cool help feature of masscan is the nmap style help menu it has. Simply invoke masscan --nmap to see the options that masscan supports which have been signed with nmap arguments to ensure familiarity.
Scanning IPv6 with Masscan
Scanning IPv6 addresses is similar to using nmap. For example, the following command will scan the IPv6 address subnet for ports 80 and 8000 to 8100.
masscan -p80,8000-8100 2603:3001:2d00:da00::/112
As mentioned earlier, although the program works for smaller networks it is actually designed for scanning really large networks, like the entire Internet.
Scanning the entire IPv6 address space is inadvisable as this will generate a lot of traffic and even if you kill the program, the packets would have already left your system.
The documentation also recommends not to scan the Internet without using an exclude list.
“Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges.”
To blacklist or exclude ranges, you can use the following syntax where exclude.txt contains a list of IP ranges to avoid:
masscan ::/0 -p0-65535 --excludefile exclude.txt
In this article we looked at masscan, which is one of the fastest port scanning tools available that comes with its own TCP/IP stack. Masscan is really easy to build and run and since it is written in C, it’s not clunky like other tools that we have seen.
This article is part of a series on scanning IPv6 addresses. Come back for our next article in the series in which we will take a look at the last IPv6 scanner in our list - v6disc.
This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.
Riyaz is a security evangelist, offensive security expert and researcher with over a decade of experience in the cyber security industry. His passion to break into some of the most well defended networks and systems in his career spanning 15 years has earned him a lot respect within the security industry. He has led Security Assessment and Penetration Testing teams at Pricewaterhouse Coopers (PwC) and Appsecco, and the Product Security Team at Citrix before co-founding Kloudle. Riyaz now specializes in cloud native, container and cloud security in general, helping build an easy to use security management platform to help companies enhance their visibility in the cloud, identify security misconfigurations and automate remediation for security gaps enabling compliance and operational security in multi-cloud environments. He is also an avid speaker and trainer and presents his research and findings at security conferences and community meetups around the world including BlackHat USA, BH Europe, BH Asia, nullcon and OWASP AppsecUSA.Specialties: Cloud (AWS, GCP, Azure, IBM, Others) Security, Cloud-Native Security, Kubernetes, Container Security, Web Application Security, Network and System Penetration Testing, Wireless Network Security, Malware Analysis and Reverse Engineering, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering. Certifications: CKA, CKAD, OSCP