LabEx
Log InJoin Free

Scan Ports with Masscan

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to use Masscan, a high-performance TCP port scanner, for efficient network reconnaissance. You will gain hands-on experience by installing Masscan from its source code, configuring scanning parameters, executing scans on private network ranges, and analyzing the results.

By the end of this lab, you will be proficient in defining targets, running high-speed scans, interpreting the output to identify open ports, and exporting your findings into common formats for reporting and further analysis.

Install Masscan from Source

In this first step, you will compile and install Masscan. Masscan is an incredibly fast port scanner, capable of scanning the entire internet in minutes. We will install it from its source code to ensure we are using the latest version. The necessary build tools and libraries have been pre-installed in your environment.

First, ensure you are in the ~/project directory, which is the designated workspace for this lab.

cd ~/project

Next, download the Masscan source code from its official GitHub repository using git.

git clone https://github.com/robertdavidgraham/masscan --depth 1

This command creates a new directory named masscan containing the source code. Navigate into this directory.

cd masscan

Now, compile the source code using the make command. This command reads the Makefile in the directory and builds the executable binary.

make

After the compilation finishes, you will find the masscan executable inside the bin directory. You can verify the build by checking its version.

./bin/masscan --version

You should see output similar to this:

Masscan version 1.3.9-integration ( https://github.com/robertdavidgraham/masscan )
Compiled on: Aug 29 2025 11:15:09
Compiler: gcc 11.4.0
OS: Linux
CPU: x86 (64 bits)
GIT version: unknown

Finally, to make the masscan command available system-wide, install it into a standard location like /usr/local/bin. The provided Makefile includes an install target that handles this for you.

sudo make install

This command copies the masscan binary to /usr/local/bin/, which is in your system's PATH. You can now run Masscan from any directory.

Verify the installation:

masscan --version

If you see the version number, Masscan is installed correctly.

Define a Target Range

Before running a scan, you must define which IP addresses you want to target. For this lab demonstration, we will focus on a small subset of private IP address ranges to ensure quick execution. Scanning these limited internal ranges is a safe and efficient practice for learning purposes.

We will create a file to list our target ranges. First, make sure you are in the main project directory.

cd ~/project

Now, use the nano text editor to create a file named targets.txt.

nano targets.txt

Inside the nano editor, add the following small IP ranges for demonstration purposes, each on a new line. These ranges are written in CIDR (Classless Inter-Domain Routing) notation, which is a compact way to represent a block of IP addresses.

192.168.1.0/24
172.17.0.0/24
10.0.0.0/24

To save the file in nano, press Ctrl+O, then press Enter to confirm the filename. To exit nano, press Ctrl+X.

After saving the file, you can verify its contents using the cat command.

cat targets.txt

The output should display the three small CIDR ranges you just entered.

192.168.1.0/24
172.17.0.0/24
10.0.0.0/24

This file will now serve as the input for Masscan, telling it which networks to scan in the next step. These smaller ranges (each containing only 256 IP addresses) will make the scan complete much faster, typically in under a minute.

Run a High-Speed Port Scan

With Masscan installed and your targets defined, you are ready to perform a port scan. In this step, you will run a demonstration scan on common ports using the smaller IP ranges we defined, ensuring the scan completes quickly for learning purposes.

Ensure you are in the ~/project directory where your targets.txt file is located.

cd ~/project

Now, execute the following masscan command. This command requires sudo because Masscan uses raw sockets to send packets, which requires elevated privileges.

sudo masscan -p22,80,443,8080 -iL targets.txt --rate 1000 -oG scan_results.gnmap

Let's break down the command's options:

  • -p22,80,443,8080: Specifies common ports to scan (SSH, HTTP, HTTPS, and alternative HTTP). This focused approach ensures faster completion.
  • -iL targets.txt: Tells Masscan to read the target IP ranges from the targets.txt file.
  • --rate 1000: Sets the packet transmission rate to 1000 packets per second. This is a safe rate for a lab environment.
  • -oG scan_results.gnmap: Saves the output in "grepable" format to a file named scan_results.gnmap. This format is easy to parse with command-line tools.

While the scan is running, Masscan will display its progress. With our smaller target ranges, the scan should complete in under a minute.

Starting masscan 1.3.9-integration (http://bit.ly/14GZzcT) at 2025-08-29 03:20:16 GMT
Initiating SYN Stealth Scan
Scanning 768 hosts [4 ports/host]

Once the scan is complete, a new file named scan_results.gnmap will be in your directory. You can view its contents with the cat command.

cat scan_results.gnmap

The output will list any hosts found with open ports. Since we are scanning small private ranges within a container environment, you may find some open ports on the Docker bridge network. Any discovered open ports will appear in a format similar to this:

## Masscan 1.3.9-integration scan initiated Fri Aug 29 03:20:16 2025
## Ports scanned: TCP(4;22-22,80-80,443-443,8080-8080) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Timestamp: 1756437619   Host: 172.17.0.1 ()     Ports: 22/open/tcp//ssh//
## Masscan done at Fri Aug 29 03:20:31 2025

The scan results show that we scanned 768 hosts across 4 specific ports (22, 80, 443, 8080) and completed the scan in about 15 seconds. In this example, Masscan found one open port - SSH (port 22) on the Docker bridge gateway at 172.17.0.1. This demonstrates Masscan's ability to quickly discover open services in network ranges.

Key points about the output format:

  • The timestamp shows when each discovery was made
  • The format Host: IP () Ports: port/status/protocol//service// provides clear service identification
  • Masscan found the SSH service running on the Docker bridge, which is a typical finding in containerized environments

Review Open Ports

After running a scan, the next step is to analyze the results to identify open ports. The scan_results.gnmap file contains all the information, but it can be processed with other tools to extract the most relevant data.

First, ensure you are in the ~/project directory.

cd ~/project

The .gnmap format is designed to be easily parsed. To quickly find all lines corresponding to open ports, you can use the grep command.

grep "open" scan_results.gnmap

This command filters the file and displays only the lines that contain the word "open". The output will look something like this, listing each host and its open ports.

Timestamp: 1756437619   Host: 172.17.0.1 ()     Ports: 22/open/tcp//ssh//

To get a quick summary of which ports are most commonly open across the scanned networks, you can create a command pipeline. The following command extracts only the port numbers, sorts them, and then counts the unique occurrences.

grep -oP '\d+/open' scan_results.gnmap | sort | uniq -c

Let's break down this powerful one-liner:

  • grep -oP '\d+/open': Extracts only the matching parts (-o) of lines that fit the Perl-compatible regular expression (-P), which looks for digits followed by /open.
  • sort: Sorts the list of open ports alphabetically, grouping identical ports together.
  • uniq -c: Collapses adjacent identical lines and prepends a count (-c) of how many times each line occurred.

An example output might look like this, indicating one host has port 22 (SSH) open.

      1 22/open

This technique is very useful for getting a high-level overview of the services exposed on a network. In this case, we can see that SSH is the only service discovered in our scan, which is typical for Docker bridge networks where the gateway provides SSH access.

Export Scan Results

For reporting or further processing, it is often necessary to export scan results into a more structured format. In this step, you will convert your scan results into a CSV (Comma-Separated Values) file, which is easily imported into spreadsheets.

Make sure you are in the ~/project directory.

cd ~/project

We will use a combination of grep and sed to parse the .gnmap file and create a clean CSV file. sed is a powerful stream editor that can extract and reformat data using regular expressions.

Execute the following command to create scan_results.csv.

grep "open" scan_results.gnmap | sed 's/.*Host: \([^ ]*\) .*Ports: \([0-9]*\)\/open\/\([^/]*\).*/\1,\2,\3/' > scan_results.csv

Here is how this command works:

  • grep "open" scan_results.gnmap: First, it filters for lines with open ports.
  • sed 's/.*Host: \([^ ]*\) .*Ports: \([0-9]*\)\/open\/\([^/]*\).*/\1,\2,\3/': Uses a regular expression to extract the IP address, port number, and protocol from the Masscan output format and formats them as CSV.
  • > scan_results.csv: This redirects the final output into a new file named scan_results.csv.

You can now view your newly created CSV file.

cat scan_results.csv

The output will be a clean, comma-separated list of hosts and their open ports.

172.17.0.1,22,tcp

This structured format is ideal for sharing with team members, importing into databases, or using as input for other security tools. The CSV format shows IP address, port number, and protocol in an easily readable format.

Summary

In this lab, you have successfully learned the fundamentals of using Masscan for high-speed network scanning. You practiced the entire workflow, from installing the tool from source code to analyzing and exporting the results.

You have gained hands-on experience with:

  • Compiling and installing software from source on Linux.
  • Defining scan targets using CIDR notation.
  • Executing port scans with specific parameters for ports, rate, and output format.
  • Analyzing scan results using command-line tools like grep, sort, and uniq.
  • Exporting data into a structured CSV format for reporting.

These skills provide a solid foundation for performing network reconnaissance in a fast, efficient, and responsible manner.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux