Bulk IP scanning for ports by masscan

sabyasachi · August 5, 2018, 6:19pm

I am trying to use masscan to scan ports of multiple IP addresses. How to provide list of IP addresses in the input of command ? So far I have used the following command. But there is only one IP address is possible to check.

masscan [IP Address] -p0-65535 -oX [outputfile.xml]

plwylie · August 5, 2018, 6:54pm

-iL will work.

masscan [IP Address] -p0-65535 -iL [scope.txt] -oX [outputfile.xml]

When in doubt try nmap syntax, since masscan uses nmap options.

sabyasachi · August 5, 2018, 7:14pm

Yes, it is working. Thanks a lot.

sabyasachi · August 18, 2018, 2:25pm

masscan -p0-65535 -oX output.xml

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2018-08-18 14:00:25 GMT
– forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan

There is no output in masscan. As the output.xml is blank

I have checked the same with zenmap Quick Scan

**nmap command ** - nmap -T4 -F

zenmap output:
Not shown: 96 filtered ports

PORT STATE SERVICE

25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https

Now I am confused why zenmap is showing at least 3 open ports and masscan is showing nothing.

plwylie · August 18, 2018, 6:17pm

System state can change, so you have to take that into consideration. I would trust the accuracy of nmap/zenmap over masscan. Masscan is known for fast scans, but nmap has better accuracy base on my experience. It’s good that you are using multiple tools, which is always a good idea. Your syntax looks good and I after you find your open ports, you could scan with nmap using -sV to get version information and -sC to run the default NSE scripts and these two should help you find more useful information.

sabyasachi · August 19, 2018, 6:56am

Thanks for your prompt reply and suggestion. I also use the dirb to brute force hidden folders.

1. dirb it is showing some directories as follows

https://example.com/a (CODE:400|SIZE:0)
https://example.com/b (CODE:400|SIZE:0)

2. nmap is showing the following open ports

25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https

How to remove the 400 error ? As it seems that it is bad request by the HTTP response code. Is there a way out to get any information or more scan ?

plwylie · August 19, 2018, 7:57pm

Dirb and Dirbuster are good, but I would use OWASP Zap or Burp Suite for for forced browsing and content discovery.

This might be helpful for the 400 HTTP errors that you are getting, but I tend to lean toward the header being too long or the malformed header.

I would do a service scan with nmap (-sV) and NSE default scripts (-sC) to see if you can get finger print the services to enumerate the particular type of software and version running on those ports. You can get some of that info using Burp or ZAP.

You could also run curl -I to get HTTP header info, which sometimes reveals the web server or web app server version. I also like running Nikto, it can reveal version info, default creds and vulnerabilities. I have had pretty good luck with Nikto.

You can run the HTTP methods NSE script to see if the target has any HTTP methods that could be exploited; nmap --script http-methods

darrylb · November 21, 2018, 1:19am

masscan takes a SUBNET as an argument eg 10.1.1.0/24 (0-255)… check out the use of the CIDR subnet mask concept

https://doc.m0n0.ch/quickstartpc/intro-CIDR.html

Topic		Replies	Views
Need help in result of masscan Recon Techniques	2	4004	August 14, 2018
Virtual Servers Starter Zone	3	2221	December 28, 2021
Using nMap and Autonomous System numbers (ASN) for Discovery of GOODIES* (*maybe) Starter Zone	3	9941	September 4, 2019
Sud-domain scan odd results - nmap, dnsgoodies, ping, censys.io Starter Zone	4	2654	October 28, 2016
No Automation need some help Starter Zone	6	2354	July 21, 2020

Bulk IP scanning for ports by masscan

Related topics