Exercise 24: Network Scanning with Masscan

Objective

Learn how to use Masscan for high-speed network scanning and analyze its output. Compare the results with Nmap to verify accuracy and understand when to use Masscan for large-scale reconnaissance.

Scenario

As a penetration tester, you need to conduct a fast and comprehensive scan of a large network to identify open ports and services. Traditional scanners like Nmap can be slower on large networks. In this exercise, you’ll use Masscan to perform a high-speed network scan and compare its results with Nmap to evaluate its accuracy and efficiency.

⚠️ Important: Perform this exercise in a legal and controlled environment. Unauthorized network scanning is illegal and unethical.

Lab Instructions

Step 1: Install Masscan

On a Linux system, install Masscan:

sudo apt update 
sudo apt install masscan -y

Verify the installation:

masscan --version

Step 2: Perform a High-Speed Network Scan

Scan the subnet 192.168.1.0/24 for open ports (e.g., port 80 for HTTP):

sudo masscan 192.168.1.0/24 -p80 --rate=1000

-p80: Scans port 80.

--rate=1000: Sends 1000 packets per second (adjustable for speed).

Scan multiple ports:

sudo masscan 192.168.1.0/24 -p1-1000 --rate=500

Scans ports 1-1000 at a rate of 500 packets per second.

Step 3: Analyze Masscan Output

Example output:

Discovered open port 80/tcp on 192.168.1.10 
Discovered open port 22/tcp on 192.168.1.15

Masscan only shows open ports without service detection.

Step 4: Verify Results with Nmap

Use Nmap to confirm the Masscan results:

sudo nmap -p 80,22 192.168.1.0/24

Nmap provides detailed service detection and OS fingerprinting.

Compare open ports detected by both tools.

Step 5: Advanced Masscan Usage

Scan for multiple services:

sudo masscan 192.168.1.0/24 -p21,22,23,80,443 --rate=1000

Save scan results to a file:

sudo masscan 192.168.1.0/24 -p1-1000 --rate=500 -oG masscan_results.txt

-oG: Saves results in a grepable format.

Solution & Explanation

How Masscan Works

• Masscan is designed for high-speed scanning by using asynchronous transmission and custom packet handling.
• It can scan the entire internet in minutes due to its optimized performance.

Comparison: Masscan vs. Nmap

Use Cases for Masscan

• Internet-wide scanning for open ports.
• Large internal networks where speed is critical.
• Initial reconnaissance before deep scanning with Nmap.

Limitations of Masscan

• No service detection (just open ports).
• Requires elevated privileges.
• Higher false positive rates if not properly configured.

Testing & Verification

• Confirm that Masscan identifies open ports correctly.
• Cross-check results with Nmap to verify accuracy.
• Adjust scanning rates and observe the impact on detection speed.

Security Best Practices

1. Scan Responsibly: Obtain permission before scanning networks.
2. Adjust Scan Rates: Avoid overwhelming the network (--rate option).
3. Combine Tools: Use Masscan for initial scans and Nmap for detailed analysis.
4. Monitor Logs: Check server logs for detection of scans.

Additional Script (Optional)

Automate Masscan scanning and result verification with Nmap:

#!/bin/bash
# Fast scan with Masscan and verify with Nmap
NETWORK="192.168.1.0/24"
PORTS="1-1000"
RATE="500"

# Run Masscan
sudo masscan $NETWORK -p$PORTS --rate=$RATE -oG masscan_results.txt

echo "Masscan scan completed. Verifying with Nmap..."

# Extract IPs and verify with Nmap
grep 'Discovered' masscan_results.txt | awk '{print $6}' | sort -u | while read ip; do
  sudo nmap -p$PORTS $ip
done

Run the script:

chmod +x masscan_nmap_scan.sh
sudo ./masscan_nmap_scan.sh

Conclusion

In this exercise, you used Masscan to perform high-speed network scanning and analyzed the results. You compared its output with Nmap to verify accuracy and explored how Masscan’s speed makes it ideal for large-scale reconnaissance. Combining Masscan for initial scans and Nmap for detailed analysis ensures efficient and effective network assessments.