Scanning with Masscan

00:00

scanning with mass scan

00:03

in this lesson, we're gonna understand how to use mass scan to scan for open ports and services as well. As described some of the pluses and minuses of the scanner

00:11

as I've mentioned before. Maskin is a very fast scanner. If your job is to scan a sub net very quickly or maybe the entire internet very quickly at a certain port. This is the scanner for you. It doesn't work exactly like end map. It doesn't do all that error checking.

00:28

Um it doesn't look for all that feedback like N map does. That's why it can work so fast.

00:35

So that's why I like end map

00:37

better I should say in the context of oh SCP just because you're trying to get that granny, those granular details. If you're trying to scan for all open ports um in the Oh SCP environment, you know, maybe use mass scan but when you actually want to pull more information

00:54

like banners um and maybe some vulnerability checking and map is the tool for you.

01:00

So if we compare mask and with end map when you run end map, if you just do an end map in an I. P. Address, it already looks for default ports. Maskin doesn't work that way maskin. You actually have to specify the ports. And that's why I was saying it's important to know the common ports because you know which ports to look for as opposed to searching from port 1 to 10,000.

01:21

That's going to take a long time.

01:22

If your strategic and you search reports like 21 22 445139

01:27

if you know those common ports then you can accomplish your task very quickly.

01:32

Also you can't use names like google dot com. It doesn't use DNS you have to use actual I. P. Addresses and I. P. Ranges. And as you can see her and maps a little bit more, a little bit more flexible and using submit ranges, whereas mass scan is not.

01:49

So when you run mass scan it uses kind of these default configurations. And and if we translate that to end map, it uses the syn scan or half open scan. So if you run end Map as a super user uses this half open scan by default. So it will send a syn packet out. We'll get the syn ack packet back and we'll never send that act packet

02:10

back to that host. So it doesn't complete that three way handshake. That means you have to use mass scan as a super user.

02:19

It also uses this no ping scan so it treats every host as up there's no DNS resolution

02:24

that randomized the host so it doesn't do it sequentially. And also it's using the raw live P cap. So it's at the data link layer rather than at the network layer. Sometimes end map has to decide which one wants data link layer or network layer.

02:38

Mass scan. Just just uses the data link layer.

02:44

So if you actually want to do banner checking, um so the way mass scan works as it has his own TCP I. P stack and that's why I can run so quickly.

02:53

So if you actually want to get banners back to your within your scan, you need to firewall a certain port or you need to specify an I. P. Address in your sub net. That is not actually a live host. And I want to show you that.

03:13

So as you can see here, I'm using I. P. Tables, I'm dropping uh dropping packets coming into port 61,000

03:23

and then I'm going to use mass scan.

03:28

And

03:29

as you can see here, I am using my up arrow to to look through but here we go. I'm checking for banners, I'm using mass scan. Of course google dot com is not gonna work.

03:38

So let's try our local sub net 19216810 wack 24. And I have some port specified here. 21 22 53 1 39 445 in

03:51

the lead port, which is not a common port. But I know I have a service running here are going to use it.

03:55

I want to check for banners and we're going to use that source port which we specified in R. I. P. Table command up above.

04:02

So we'll just see how fast this is going. I'm not going to pause my video because I want to show how fast mass scan is. And as you can see it's already finding open ports.

04:13

Hopefully it will do some banner grabbing as well

04:16

There. You see a banner grab on Port 21

04:20

and as you can see it's not as clean as our end map. Banner grabbing.

04:25

We can see our lead port, that's as ssh running. That's what I was talking about before is even though port 22 is commonly used for for ssh in this case I use the super cool elite port.

04:39

So I also want to show you that you can specify an I. P. Address. Let's do 1921681.5 dot five I should say. I know that that's not a live hosts on my network but I'm gonna use that as my source I. P. And we should get the same information. But this is another way where you don't have to worry about

04:56

um using iP tables to use that firewall.

05:02

So again I'm not going to pause the video. You can see how fast this tool is

05:13

and you can see it's almost done.

05:20

So I am scanning all 256 hosts on my network. So again this is a very very fast scanner

05:31

And there we go. We actually got a banner on port 80

05:35

which I don't think we got up here.

05:40

No we didn't. So we actually got more information with using the source I. P. Address where we got some banners from http.

05:51

Oh

05:53

That's because I actually specified port 80 here or is here? I did not.

06:01

All right. So there's a bit of a learning curve to using mass scan. When you try if you try to use it in the labs you may have some problems. So you might want to use it on your local network of course, if you have permission to do that, um just to see how it works, read the documentation carefully, uh it is possible to knock hosts offline

06:20

just because how fast it is.

06:23

Um and also banner grabbing, you know, it's good to do banner grabbing, although this may not be the tool for you as you saw, the banner grabbing was not as clean um when we when we use that option, um so just be aware of the strengths and weaknesses of mass scan.

06:41

So in this lesson we covered how to use mass scan to scan for open ports and services as well as described some of the pluses and minuses of the tool.