Bulk IP scanning for ports by masscan

I am trying to use masscan to scan ports of multiple IP addresses. How to provide list of IP addresses in the input of command ? So far I have used the following command. But there is only one IP address is possible to check.

masscan [IP Address] -p0-65535 -oX [outputfile.xml]

1 Like

-iL will work.

masscan [IP Address] -p0-65535 -iL [scope.txt] -oX [outputfile.xml]

When in doubt try nmap syntax, since masscan uses nmap options.


Yes, it is working. Thanks a lot.


masscan -p0-65535 -oX output.xml

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-08-18 14:00:25 GMT
– forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan

There is no output in masscan. As the output.xml is blank

I have checked the same with zenmap Quick Scan

**nmap command ** - nmap -T4 -F

zenmap output:
Not shown: 96 filtered ports


25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https

Now I am confused why zenmap is showing at least 3 open ports and masscan is showing nothing.

System state can change, so you have to take that into consideration. I would trust the accuracy of nmap/zenmap over masscan. Masscan is known for fast scans, but nmap has better accuracy base on my experience. It’s good that you are using multiple tools, which is always a good idea. Your syntax looks good and I after you find your open ports, you could scan with nmap using -sV to get version information and -sC to run the default NSE scripts and these two should help you find more useful information.

1 Like

Thanks for your prompt reply and suggestion. I also use the dirb to brute force hidden folders.

1. dirb it is showing some directories as follows

https://example.com/a (CODE:400|SIZE:0)
https://example.com/b (CODE:400|SIZE:0)

2. nmap is showing the following open ports

25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https

How to remove the 400 error ? As it seems that it is bad request by the HTTP response code. Is there a way out to get any information or more scan ?

  1. Dirb and Dirbuster are good, but I would use OWASP Zap or Burp Suite for for forced browsing and content discovery.

This might be helpful for the 400 HTTP errors that you are getting, but I tend to lean toward the header being too long or the malformed header.

  1. I would do a service scan with nmap (-sV) and NSE default scripts (-sC) to see if you can get finger print the services to enumerate the particular type of software and version running on those ports. You can get some of that info using Burp or ZAP.

You could also run curl -I to get HTTP header info, which sometimes reveals the web server or web app server version. I also like running Nikto, it can reveal version info, default creds and vulnerabilities. I have had pretty good luck with Nikto.

You can run the HTTP methods NSE script to see if the target has any HTTP methods that could be exploited; nmap --script http-methods

1 Like

masscan takes a SUBNET as an argument eg (0-255)… check out the use of the CIDR subnet mask concept