The project contains a built-in self-test:

This tests a lot of tricky bits of the code. You should do this after building.

Performance Testing

$ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11

$ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline

Usage

# masscan -p80,8000-8100 10.0.0.0/8

# masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf # masscan -c xxx.conf --rate 1000

Banner Checking

# masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

# iptables -A INPUT -p tcp --dport 60000 -j DROP # masscan 10.0.0.0/8 -p80 --banners --source-port 60000

# sudo ipfw add 1 deny tcp from any to any 60000 in # masscan 10.0.0.0/8 -p80 --banners --source-port 60000

How To Scan the Entire Internet

# masscan 0.0.0.0/0 -p0-65535

# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt

# masscan 0.0.0.0/0 -p0-65535 -oX scan.xml

# masscan 0.0.0.0/0 -p0-65535 --max-rate 100000

# My Scan rate = 100000.00 output-format = xml output-status = all output-filename = scan.xml ports = 0-65535 range = 0.0.0.0-255.255.255.255 excludefile = exclude.txt

# masscan -c myscan.conf

Output

xml: Just use the parameter -oX <filename>. Or, use the parameters --output-format xml and --output-filename <filename>. binary: This is the MASSCAN builtin format. It produces much smaller files, so that when I scan the Internet my disk doesn't fill up. They need to be parsed, though. The command line option --readscan will read binary scan files. Using --readscan with the -oX option will produce a XML version of the results file. grepable: This is an implementation of the Nmap -oG output that can be easily parsed by command-line tools. Just use the parameter -oG <filename>. Or, use the parameters --output-format grepable and --output-filename <filename>. json: This saves the results in JSON format. Just use the parameter -oJ <filename>. Or, use the parameters --output-format json and --output-filename <filename>. list: This is a simple list with one host and port pair per line. Just use the parameter -oL <filename>. Or, use the parameters --output-format list and --output-filename <filename>. The format is:

To test performance, run something like the following:The boguskeeps packets on the local network segments so that they won't go out to the Internet.You can also test in "offline" mode, which is how fast the program runs without the transmit overhead:This second benchmark shows roughly how fast the program would run if it were using PF_RING, which has near zero overhead.Usage is similar to nmap. To scan a network segment for some ports:This will scan the 10.x.x.x subnet, all 16 million addresses, scan port 80 and the range 8000 to 8100, or 102 addresses total, and print output tothat can be redirected to a file.To see the complete list of options, use thefeature. This dumps the current configuration and exits. This output can be used as input back into the program:MASSCAN can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple "banner" information.The problem with this is that MASSCAN contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before MASSCAN can grab the banner.The easiest way to prevent this is to assign MASSCAN a separate IP address. This would look like the following:The address you choose has to be on the local subnet and not otherwise be used by another system.In some cases, such as WiFi, this isn't possible. In those cases, you can firewall the port that MASSCAN uses. This prevents the local TCP/IP stack from seeing the packet, but MASSCAN still sees it since it bypasses the local stack. For Linux, this would look like:On Mac OS X and BSD, it might look like this:Windows doesn't respond with RST packets, so neither of these techniques are necessary. However, MASSCAN is still designed to work best using its own IP address, so you should run that way when possible, even when it's not strictly necessary.The same thing is needed for other checks, such as the --heartbleed check, which is just a form of banner checking.While useful for smaller, internal networks, the program is really designed with the entire Internet in mind. It might look something like this:Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges. To blacklist or exclude ranges, you want to use the following syntax:This just prints the results to the command-line. You probably want them saved to a file instead. Therefore, you want something like:This saves the results in an XML file, allowing you to easily dump the results in a database or something.But, this only goes at the default rate of 100 packets/second, which will take forever to scan the Internet. You need to speed it up as so:This increases the rate to 100,000 packets/second, which will scan the entire Internet (minus excludes) in about 10 hours per port (or 655,360 hours if scanning all ports).The thing to notice about this command-line is that these are all nmap compatible options. In addition, "invisible" options compatible with nmap are also set for you:. Likewise, the format of the XML file is inspired by nmap. There are, of course, a lot of differences, because the asynchronous nature of the program leads to a fundamentally different approach to the problem.The above command-line is a bit cumbersome. Instead of putting everything on the command-line, it can be stored in a file instead. The above settings would look like this:To use this configuration file, use theThis also makes things easier when you repeat a scan.By default, MASSCAN first loads the configuration file. Any later configuration parameters override what's in this default configuration file. That's where I put my "" parameter, so that I don't ever forget it. It just works automatically.By default, MASSCAN produces fairly large text files, but it's easy to convert them into any other format. There are five supported output formats: