# masscan — Internet-Scale Port Scanner at 10 Million Packets Per Second

> The fastest port scanner capable of scanning the entire Internet in under six minutes, using asynchronous packet transmission.

## Install

Save as a script file and run:

# masscan — Internet-Scale Port Scanner at 10 Million Packets Per Second

## Quick Use
```bash
# Install on Debian/Ubuntu
sudo apt install masscan
# Scan a subnet for common ports
sudo masscan 10.0.0.0/24 -p80,443,22 --rate=1000
```

## Introduction
masscan is an asynchronous TCP port scanner written in C that can transmit up to 10 million packets per second. Designed by Robert David Graham, it uses its own custom TCP/IP stack to achieve speeds that make full-Internet scans feasible on commodity hardware.

## What masscan Does
- Scans TCP and UDP ports at rates exceeding Nmap by 100x or more
- Uses a custom TCP/IP stack bypassing the OS kernel for raw packet transmission
- Outputs results in Nmap-compatible XML, JSON, or binary formats
- Supports banner grabbing for service identification on open ports
- Randomizes target order to distribute scan traffic evenly

## Architecture Overview
masscan operates by generating SYN packets directly via raw sockets or libpcap, bypassing the operating system's TCP stack entirely. A separate receive thread captures responses asynchronously. Target randomization uses a cryptographic permutation to avoid sequential scanning of adjacent IP addresses, which reduces the chance of triggering network-level rate limiting.

## Self-Hosting & Configuration
- Build from source with make on Linux or use package managers
- Requires root or sudo for raw socket access
- Configure --rate to control packets per second based on bandwidth
- Exclude sensitive ranges using --excludefile with a list of CIDRs
- Use --banners to enable lightweight service fingerprinting

## Key Features
- Custom TCP/IP stack for kernel-bypass packet generation
- Stateless SYN scanning with asynchronous response collection
- Nmap-compatible output formats for integration with existing workflows
- Built-in support for TLS and HTTP banner collection
- Resume interrupted scans via saved state files

## Comparison with Similar Tools
- **Nmap** — far more feature-rich (scripting, OS detection) but orders of magnitude slower for large scans
- **ZMap** — similar speed for single-port scans, masscan supports multi-port in one pass
- **RustScan** — wraps Nmap with fast initial port discovery, less control over packet rate
- **Unicornscan** — older async scanner, less maintained and slower

## FAQ
**Q: Does masscan require root privileges?**
A: Yes. Raw socket access requires root on Linux or administrator privileges on Windows.

**Q: Can I use masscan output with Nmap?**
A: Yes. Use -oX to produce Nmap-compatible XML, then feed open ports into Nmap for deeper service analysis.

**Q: Will masscan damage my network?**
A: At high rates, masscan can saturate links and trigger IDS alerts. Always use --rate responsibly and only scan networks you are authorized to test.

**Q: Does masscan support IPv6?**
A: IPv6 support is experimental. For production IPv6 scanning, consider ZMap or Nmap.

## Sources
- https://github.com/robertdavidgraham/masscan
- https://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html

---
Source: https://tokrepo.com/en/workflows/asset-d2148552
Author: Script Depot