LabEx
Log InJoin For Free

Scan Ports in Masscan

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to use Masscan, a high-performance TCP port scanner, for efficient network reconnaissance in cybersecurity. You'll practice installing Masscan from source, configuring scanning parameters, and analyzing results on private network ranges.

The exercises will guide you through target definition, scan execution, and result interpretation. By completing this lab, you'll gain hands-on experience with Masscan's rapid scanning capabilities while maintaining ethical scanning practices.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/common_ports("Common Ports Scanning") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/common_ports -.-> lab-549946{{"Scan Ports in Masscan"}} nmap/save_output -.-> lab-549946{{"Scan Ports in Masscan"}} nmap/port_scanning -.-> lab-549946{{"Scan Ports in Masscan"}} nmap/target_specification -.-> lab-549946{{"Scan Ports in Masscan"}} nmap/service_detection -.-> lab-549946{{"Scan Ports in Masscan"}} end

Install Masscan

In this step, you will install Masscan, a high-performance TCP port scanner, on your LabEx VM environment. Masscan is known for its ability to scan the entire internet in minutes by utilizing asynchronous transmission and its own custom TCP/IP stack. Unlike traditional scanners, Masscan doesn't rely on the operating system's network stack, which allows it to achieve remarkable scanning speeds.

Before proceeding, let's make sure we're in the right working directory. The ~/project directory is where we'll organize all our scanning-related files:

cd ~/project

Masscan requires several dependencies to be installed first. These include development tools and libraries needed to compile the source code. The following command will update your package list and install the necessary components:

sudo apt-get update && sudo apt-get install -y git make gcc libpcap-dev

Now we'll download the Masscan source code from its official GitHub repository. Cloning the repository gives us the latest version of the code:

git clone https://github.com/robertdavidgraham/masscan

After downloading, we need to compile the source code to create the executable program. The make command reads the Makefile in the directory and builds the software:

cd masscan && make

Once compilation completes successfully, we can verify everything works by checking the installed version. This is a good practice to confirm the installation was successful:

./bin/masscan --version

You should see output similar to:

Masscan version 1.3.2

Finally, to make Masscan easily accessible from any directory, we'll copy it to /usr/local/bin/, which is typically included in the system's PATH environment variable:

sudo cp bin/masscan /usr/local/bin/

This completes the installation process. You now have Masscan ready to use for high-speed port scanning in the following steps of this lab.

Define a Target Range

In this step, you will define a target IP range for your port scanning operation. Understanding target ranges is fundamental in network scanning - it tells the scanner which network addresses to examine. Masscan requires specific target ranges to scan efficiently because it's designed for high-speed operations across large networks.

For learning purposes, we'll use private IP ranges defined in RFC 1918. These are safe, non-routable addresses commonly used in local networks, so we avoid accidentally scanning real internet hosts. The three main private ranges we'll use are:

  1. 10.0.0.0/8 - The largest private block, often used by corporations
  2. 172.16.0.0/12 - Medium-sized range frequently seen in enterprise networks
  3. 192.168.0.0/16 - The most common range for home and small office networks

First, let's navigate to our working directory where we'll store our target list:

cd ~/project

Now we'll create a text file to store our target ranges. We're using nano as our text editor because it's simple and available in most Linux environments:

nano targets.txt

In the editor, add these three standard private ranges (press Ctrl+O to save your changes, then Ctrl+X to exit nano):

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

The CIDR notation (/8, /12, /16) specifies how many IP addresses are in each range:

  • /8 means the first 8 bits are fixed (10.x.x.x)
  • /12 fixes the first 12 bits (172.16.x.x to 172.31.x.x)
  • /16 fixes the first 16 bits (192.168.x.x)

Let's verify our targets file was created correctly by displaying its contents:

cat targets.txt

You should see the three CIDR ranges listed exactly as entered. This file will serve as input for Masscan in the next steps, telling it which networks to scan.

Run a HighSpeed Port Scan

In this step, you will execute a high-speed port scan using Masscan against the target ranges defined in the previous step. Port scanning is a fundamental network reconnaissance technique that helps identify accessible services on target systems. Masscan's unique architecture allows it to scan thousands of ports per second while maintaining accuracy, making it ideal for scanning large networks quickly.

First, ensure you're in the correct working directory where your target file is located. This ensures Masscan can access your predefined target list:

cd ~/project

Now let's run the actual scan. The following Masscan command will scan the most common ports (1-1000) on your target ranges. These ports typically include well-known services like web servers (80, 443), email (25, 110), and other frequently used protocols:

sudo masscan -p1-1000 -iL targets.txt --rate 1000 -oG scan_results.gnmap

Let's break down each part of this command to understand what it does:

  • -p1-1000: Specifies the port range to scan (ports 1 through 1000)
  • -iL targets.txt: Reads target IP addresses from your predefined list file
  • --rate 1000: Controls the scan speed (1000 packets per second is safe for learning environments)
  • -oG scan_results.gnmap: Saves results in grepable format for easy analysis

While scanning, you'll see real-time output showing progress. This helps you monitor the scan's status and estimated completion time:

Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-01-01 00:00:00 GMT
Initiating SYN Stealth Scan
Scanning 3 hosts [1000 ports/host]

After completion (typically under 1 minute for small networks), you can view your scan results. The grepable format makes it easy to identify open ports and services:

cat scan_results.gnmap

The output will show discovered open ports in this clear format, with each line representing a host and its open ports:

Host: 10.0.0.1 ()   Ports: 80/open/tcp//http///, 443/open/tcp//https///

Review Open Ports

In this step, you will analyze the scan results from the previous port scan to identify open ports and their associated services. Open ports are like doors in a network - when they're open, they allow communication between devices. Understanding which ports are open is essential for network security because each open port could potentially be an entry point for both legitimate traffic and security threats.

First, let's navigate to the directory where your scan results are stored. This ensures we're working with the correct data files:

cd ~/project

To view the complete scan results in their raw format, we'll use the cat command. This shows everything Masscan recorded, including closed ports and scan metadata:

cat scan_results.gnmap

Since we're primarily interested in open ports, we can filter the results using grep. This command will show only lines containing the word "open", making it easier to spot active services:

grep "open" scan_results.gnmap

For better organization, we can display the results with IP addresses clearly associated with their open ports. The awk command helps restructure the output to show which ports are open on which specific hosts:

awk '/Host:/ {ip=$2} /open/ {print ip,$0}' scan_results.gnmap

If you want to check how many hosts have a particular port open (for example, the common web port 80), this grep command with the -c flag will give you a count:

grep -c "80/open" scan_results.gnmap

Finally, to get a comprehensive overview of all open ports across your scanned network range, this pipeline will count occurrences of each open port. The command sorts the ports and shows how many times each appears:

grep -oP '\d+/open' scan_results.gnmap | sort | uniq -c

Example output might look like this, showing three hosts with SSH (port 22) open, five with HTTP (port 80), and two with HTTPS (port 443):

   3 22/open
   5 80/open
   2 443/open

Export Scan Results

In this step, you will learn how to export your Masscan results into different file formats. Exporting scan data properly is crucial because it allows you to analyze the findings, share reports with team members, or feed the data into other security tools. We'll create three common formats: CSV for spreadsheet analysis, plain text for quick review, and JSON for automated processing.

First, navigate to your project directory where the scan results are stored. This ensures all exported files will be saved in the correct location:

cd ~/project

The first conversion creates a CSV (Comma-Separated Values) file. CSV is ideal for importing into spreadsheet software like Excel. The awk command extracts the IP address, port number, and service name from the grepable format file:

awk -F'[ /]' '/Host:/ {ip=$2} /open/ {print ip","$4","$7}' scan_results.gnmap > scan_results.csv

Next, we'll generate a simple text report that's easy to read in terminal or text editors. This format is useful when you need to quickly check which hosts have open ports without opening a spreadsheet:

grep "open" scan_results.gnmap | awk '{print "Host:", $2, "Port:", $4}' > scan_report.txt

For integration with other tools or scripts, we'll create a JSON file. JSON is a structured format that most programming languages can easily parse. The commands below build a proper JSON array with all scan results:

echo '[' > scan_results.json
grep "open" scan_results.gnmap | awk '{print "{\"host\":\""$2"\",\"port\":\""$4"\",\"service\":\""$7"\"},"}' >> scan_results.json
sed -i '$ s/,$//' scan_results.json
echo ']' >> scan_results.json

Finally, verify all exported files were created successfully. This command lists the files with their sizes so you can confirm the exports worked as expected:

ls -l scan_results.* scan_report.txt

You should see output similar to:

-rw-r--r-- 1 labex labex 1234 scan_results.csv
-rw-r--r-- 1 labex labex 5678 scan_results.json
-rw-r--r-- 1 labex labex 9012 scan_report.txt

Summary

In this lab, you have learned how to perform high-speed port scanning using Masscan, from installation to target preparation. The process included setting up dependencies, compiling the source code, and configuring private IP ranges for safe practice.

You've gained practical knowledge of Masscan's asynchronous scanning capabilities and CIDR notation usage. The lab emphasized ethical scanning practices by focusing on non-routable addresses, preparing you for real-world network analysis scenarios.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner