I’m sure everyone is already using Masscan and I’m the last one to jump on the bandwagon. Honestly, I don’t know how I got anything done before finding this tool. If you’re not aware, Masscan is an asynchronous, TCP network port scanner. It’s an incredibly fast tool that can be used to quickly identify live services to target testing efforts.
If you’re familiar with NMAP, several of the commands and the output are the same. If you’ve taken any of TrustedSec’s learning courses, you may have learned some common Intrusion Detection Systems (IDS) evasion techniques, which can also be used with Masscan.
One of the first things you’ll need to know when using Masscan is that it can be configured to send so many packets that it becomes a Denial-of-Service (DoS) tool. In initial testing, I crashed my VMware networking core services several times until I found some safe packet rates. It can also fill up state tables on physical routers if the rate is too high.
A limitation of Masscan is that, due to its custom network stack, it’s not very good at grabbing service banners, if that sort of thing is important to you. As with other wrappers out there, I like to use the power of NMAP to fill this gap.
To combine the strengths of both tools, I created a wrapper script that TrustedSec has been using internally over the past year and is now releasing publicly.
This wrapper script implements all of the IDS evasion techniques and service discovery methodologies that I’ve learned over my years of pentesting. It also takes care of the packet rates, depending on the selected options (external, internal, single port, full port, etc.). The README.md also includes references for several commonly exploited services.
The scans can be run successively. So, you may want to run the small port scan first, then run the medium port scan. You may also want to change the target hosts that you’re looking to scan. Each scan will simply add to the final output.
Once completed, all live hosts are broken out by port in the ‘live_hosts’ directory. Full XML results for Masscan and NMAP scans are broken out in their respective directories. All XML output is combined to spoonmap_output.xml, which can be imported to any other frameworks that support it, such as Metasploit or aquatone for further enumeration. Finally, all discovered hosts are saved to all_live_hosts.txt, which can also be used for further enumeration.
Hopefully you find this tool useful and it helps you get to hacking quickly. As always, go forth and hack responsibly!