__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

masscan Cheatsheet

← Back to cheatsheets

← Home

Masscan is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second. Uses asynchronous transmission for extreme speed.

Basic Usage

  • masscan <target> -p<ports> - Basic port scan
  • masscan 0.0.0.0/0 -p0-65535 - Scan entire internet (don't do this)

Target Specification

  • masscan 192.168.1.0/24 - CIDR notation
  • masscan 192.168.1.1-192.168.1.254 - IP range
  • masscan -iL targets.txt - Read from file
  • masscan --exclude 192.168.1.1 - Exclude IP
  • masscan --excludefile exclude.txt - Exclude from file

Port Specification

  • -p80 - Single port
  • -p80,443,8080 - Multiple ports
  • -p1-1000 - Port range
  • -p0-65535 - All ports
  • -pU:53 - UDP port
  • -p80,U:53 - Mixed TCP/UDP

Rate Control

  • --rate 1000 - Packets per second (default 100)
  • --rate 10000 - 10k packets/sec
  • --rate 100000 - 100k packets/sec (needs tuning)
  • --max-rate 1000000 - Maximum rate limit

Output Options

  • -oL output.txt - List output (default)
  • -oX output.xml - XML output
  • -oG output.gnmap - Grepable output
  • -oJ output.json - JSON output
  • -oB output.binary - Binary output
  • --open - Only show open ports

Banner Grabbing

  • --banners - Grab service banners
  • --hello-string <base64> - Custom hello string
  • --source-port 61000 - Set source port

Network Options

  • -e eth0 - Specify interface
  • --adapter-ip 192.168.1.100 - Source IP
  • --adapter-mac 00:11:22:33:44:55 - Source MAC
  • --router-mac 00:11:22:33:44:55 - Gateway MAC
  • --ttl 64 - Set TTL value

Timing Options

  • --wait 10 - Seconds to wait for replies (default 10)
  • --retries 2 - Number of retries
  • --seed <number> - Random seed for reproducibility

Resume and Config

  • --resume paused.conf - Resume interrupted scan
  • -c config.conf - Use config file
  • --echo > config.conf - Save current settings to config

Common Examples

Quick Web Scan

masscan 192.168.1.0/24 -p80,443,8080 --rate 1000

Scan for web servers on local network.

Full Port Scan

masscan 192.168.1.0/24 -p1-65535 --rate 10000 -oL results.txt

All ports on network, save to file.

Banner Grabbing

masscan 192.168.1.0/24 -p22,80,443 --banners --rate 1000

Grab banners from common services.

Fast Class B Scan

masscan 10.0.0.0/16 -p80 --rate 100000 -oJ output.json

High-speed scan of large network.

UDP Scan

masscan 192.168.1.0/24 -pU:53,161,500 --rate 1000

Scan common UDP ports.

With Exclusions

masscan 10.0.0.0/8 -p80 --excludefile exclude.txt --rate 50000

Scan large range with exclusions.

Performance Tuning

For High-Speed Scanning

# Increase system limits
echo 1 > /proc/sys/net/core/somaxconn
sysctl -w net.core.rmem_max=16777216
sysctl -w net.core.wmem_max=16777216

# Use PF_RING for 10M+ packets/sec
masscan --adapter-ip 192.168.1.100 --rate 1000000

Output Parsing

List Format

# Format: status state port proto ip timestamp
open tcp 80 192.168.1.1 1234567890

Extract IPs from List

cat output.txt | grep open | awk '{print $4}'

Tips

  • Start with low rates (1000) and increase gradually
  • Use --wait to ensure you catch slow responses
  • Always exclude sensitive/critical systems
  • Use --resume for long scans that might interrupt
  • Combine with nmap for detailed service detection
  • masscan finds ports fast, nmap enumerates them
  • May need root/sudo for raw socket access
  • High rates can overwhelm networks - be careful
  • Always get authorization before scanning

← Back to cheatsheets

← Home