☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • C Language
      • Introduction
      • Calling Conventions
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • Binary Exploitation
    • Stack Smashing
      • x86
      • x86_64
    • pwntools
      • Processes and Communication
      • Logging and Context
      • Cyclic
      • Packing
      • ELF
      • ROP
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Windows Internals
        • PEB
      • Academy
        • Basics
      • Sektor7
        • Essentials
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • Target specification
  • Port specification
  • Timing and Performance
  • Output
  • Complete commands
  1. Offensive Security
  2. Recon
  3. Active

Mass Scan

This is an Mass scan cheat sheet for active information gathering.

Target specification

# Target specification
masscan 10.0.0.1 
masscan 10.0.0.0/24 192.168.1.0/24

# Exclude IP file
masscan 10.0.0.1/24 --excludeFile <file>

# Exclude a single IP from the scan
masscan 180.215.0.0/16 --exclude=180.215.122.120

Port specification

# Port specification
masscan 10.0.0.0.1 -p 80
masscan 10.0.0.0.1 -p 0-65535
masscan 10.0.0.0.1 -p 80,443

# UDP Scan
masscan 10.0.0.0.1 -pU 53

Timing and Performance

# Used to scan in offline mode
# It does not send any traffic but just estimate the time length
masscan 0.0.0.0/24 --offline

# Using the rate to send X packets per second
masscan 10.0.0.1/24 --rate 10000
# Get banners from services (only few protocols supported)
# Problem is that masscan uses his own TCP/IP stack so when the local system 
# received a SYN-ACK from the probed target, it responds with a TST packet that 
# kills the connection before the banner information can be grabbed.
# You can use --source-ip to assign another IP to prevent
masscan 10.0.0.1 --banners

# Assign masscan to another IP
masscan 10.0.0.1 --source-ip 192.168.1.200

# Include a ping
masscan 10.0.0.1 --ping

# Change the default user agent
masscan 10.0.0.1 --http-user-agent <user-agent>

# Report only open ports
masscan 10.0.0.1 --open-only

# Save sent packet in PCAP
masscan 10.0.0.1 --pcap <filename>

# Print packets in terminal (ok in low rate but RIP terminal with high rates)
masscan 10.0.0.1 --packet-trace

Output

# Output in binary mode
massscan 10.1.1.1/24 -p 80 -oB <filename>

# Output in XML format
massscan 10.1.1.1/24 -p 80 -oX <filename>

# Output in grepable format
massscan 10.1.1.1/24 -p 80 -oG <filename>

# Output in JSON format
massscan 10.1.1.1/24 -p 80 -oJ <filename>

# Output in simple list format
massscan 10.1.1.1/24 -p 80 -oL <filename>

# Read a binary output and writes it to the console
masscan --readscan bin-test.scan

# Read a binary scan and convert it to another format
masscan --readscan bin-test.scan -oX bin-test.xml

Complete commands

# Quick port identification
# - Subnet target
# - Port range
# - High speed
masscan 10.1.1.1/24 -p 0-65535 --rate 1000000 --open-only --http-user-agent \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"\
 -oL "output.txt"

# Multiple targets specific scan
# - Known ports
# - Fast rate 100.000
# - Banner grabbing and another source IP
# - Only open ports
# - Modified user-agent
masscan <target1> <target2> <target3> -p 80,433 --rate 100000 --banners --open-only\
--http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"\
--source-ip 192.168.100.200 -oL "output.txt" 

# TOP 20 ports scanning
# Modified user-agent
# Medium speed
masscan <target> -p 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080\
--http-user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"\
--rate 100000 --oL "output.txt"

# In some cases, masscan can be better than nmap
# For example, when searching for a big range on some ports only
# (Internal pentest for example) you can do multiple iterations of scans
# XML output are interesting for db_import in metasploit
sudo masscan <target/16> -p 22 --rate 2000 -oX output_port_22.x
PreviousNmapNextPassive

Last updated 8 months ago

🏴‍☠️
Page cover image