Commit 87f85afe authored by robertdavidgraham's avatar robertdavidgraham
Browse files

man page

parent 18f352d5
Loading
Loading
Loading
Loading

doc/masscan.8.gz

0 → 100644
+4.28 KiB

File added.

No diff preview for this file type.

doc/masscan.8.html

0 → 100644
+321 −0
Original line number Diff line number Diff line
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv='content-type' value='text/html;charset=utf8'>
  <meta name='generator' value='Ronn/v0.7.3 (http://github.com/rtomayko/ronn/tree/0.7.3)'>
  <title>masscan(8) - Fast scan of the Internet</title>
  <style type='text/css' media='all'>
  /* style: man */
  body#manpage {margin:0}
  .mp {max-width:100ex;padding:0 9ex 1ex 4ex}
  .mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
  .mp h2 {margin:10px 0 0 0}
  .mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
  .mp h3 {margin:0 0 0 4ex}
  .mp dt {margin:0;clear:left}
  .mp dt.flush {float:left;width:8ex}
  .mp dd {margin:0 0 0 9ex}
  .mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
  .mp pre {margin-bottom:20px}
  .mp pre+h2,.mp pre+h3 {margin-top:22px}
  .mp h2+pre,.mp h3+pre {margin-top:5px}
  .mp img {display:block;margin:auto}
  .mp h1.man-title {display:none}
  .mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
  .mp h2 {font-size:16px;line-height:1.25}
  .mp h1 {font-size:20px;line-height:2}
  .mp {text-align:justify;background:#fff}
  .mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
  .mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
  .mp u {text-decoration:underline}
  .mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
  .mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
  .mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
  .mp b.man-ref {font-weight:normal;color:#434241}
  .mp pre {padding:0 4ex}
  .mp pre code {font-weight:normal;color:#434241}
  .mp h2+pre,h3+pre {padding-left:0}
  ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
  ol.man-decor {width:100%}
  ol.man-decor li.tl {text-align:left}
  ol.man-decor li.tc {text-align:center;letter-spacing:4px}
  ol.man-decor li.tr {text-align:right;float:right}
  </style>
</head>
<!--
  The following styles are deprecated and will be removed at some point:
  div#man, div#man ol.man, div#man ol.head, div#man ol.man.

  The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
  .man-navigation should be used instead.
-->
<body id='manpage'>
  <div class='mp' id='man'>

  <div class='man-navigation' style='display:none'>
    <a href="#NAME">NAME</a>
    <a href="#SYNOPSIS">SYNOPSIS</a>
    <a href="#DESCRIPTION">DESCRIPTION</a>
    <a href="#OPTIONS">OPTIONS</a>
    <a href="#CONFIGURATION-FILE-FORMAT">CONFIGURATION FILE FORMAT</a>
    <a href="#CONTROL-C-BEHAVIOR">CONTROL-C BEHAVIOR</a>
    <a href="#SIMPLE-EXAMPLES">SIMPLE EXAMPLES</a>
    <a href="#ADVANCED-EXAMPLES">ADVANCED EXAMPLES</a>
    <a href="#COMPATIBILITY">COMPATIBILITY</a>
    <a href="#SEE-ALSO">SEE ALSO</a>
    <a href="#AUTHORS">AUTHORS</a>
  </div>

  <ol class='man-decor man-head man head'>
    <li class='tl'>masscan(8)</li>
    <li class='tc'></li>
    <li class='tr'>masscan(8)</li>
  </ol>

  <h2 id="NAME">NAME</h2>
<p class="man-name">
  <code>masscan</code> - <span class="man-whatis">Fast scan of the Internet</span>
</p>

<h2 id="SYNOPSIS">SYNOPSIS</h2>

<p>masscan <ip addresses/ranges> -p <var>ports</var> <var>options</var></p>

<h2 id="DESCRIPTION">DESCRIPTION</h2>

<p><strong>masscan</strong> is an Internet-scale port scanner, useful for large scal surveys
of the Internet, or of internal networks. While the default transmit rate
is only 100 packets/second, it can optional go as fast as 25 million
packets/second, a rate sufficient to scan the Internet in 3 minutes for
one port.</p>

<h2 id="OPTIONS">OPTIONS</h2>

<ul>
<li><p><code>&lt;ip/range&gt;</code>: anything on the command-line not prefixed with a '-' is
assumed to be an IP address or range. There are three valid formats.
The first is a single IPv4 address like "192.168.0.1". The second
is a range like "10.0.0.1-10.0.0.100". The third is a CIDR address,
like "0.0.0.0/0". At least one target must be specified. Multiple
targets can be specified. This can be specified as multiple options
separated by space, or can be separated by a comma as a single option,
such as <code>10.0.0.0/8,192.168.0.1</code>.</p></li>
<li><p><code>--range &lt;ip/range&gt;</code>: the same as target range spec described above,
except as a named parameter instead of an unnamed one.</p></li>
<li><p><code>-p &lt;ports</code>, <code>--ports &lt;ports></code>: specifies the port(s) to be scanned. A single
port can be specified, like <code>-p80</code>. A range of ports can be specified,
like <code>-p 20-25</code>. A list of ports/ranges can be specified, like
<code>-p80,20-25</code>. UDP ports can also be specified, like
<code>--ports U:161,U:1024-1100</code>.</p></li>
<li><p><code>--banners</code>: specifies that banners should be grabbed, like HTTP server
versions, HTML title fields, and so forth. Only a few protocols are
supported.</p></li>
<li><p><code>--rate &lt;packets-per-second></code>: specifies the desired rate for transmitting
packets. This can be very small numbers, like <code>0.1</code> for transmitting packets
at rates of one every 10 seconds, for very large numbers like 10000000,
which attempts to transmit at 10 million packets/second. In my experience,
Windows and can do 250 thousand packets per second, and latest versions of
Linux can do 2.5 million packets per second. The PF_RING driver is needed
to get to 25 million packets/second.</p></li>
<li><p><code>-c &lt;filename></code>, <code>--conf &lt;filename></code>: reads in a configuration file. The
format of the configuration file is described below.</p></li>
<li><p><code>--resume &lt;filename></code>: the same as <code>--conf</code>, except that a few options
are automatically set, such as <code>--append-output</code>. The format of the
configuration file is described below.</p></li>
<li><p><code>--echo</code>: don't run, but instead dump the current configuration to a file.
This file can then be used with the <code>-c</code> option. The format of this
output is described below under 'CONFIGURATION FILE'.</p></li>
<li><p><code>-e &lt;ifname></code>, <code>--adapter &lt;ifname></code>: use the named raw network interface,
such as "eth0" or "dna1". If not specified, the first network interface
found with a default gateway will be used.</p></li>
<li><p><code>--adapter-ip &lt;ip-address></code>: send packets using this IP address. If not
specified, then the first IP address bound to the network interface
will be used.</p></li>
<li><p><code>--adapter-port &lt;ip-address></code>: send packets using this port number as the
source. If not specified, a random port will be chosen in the range 40000
through 60000. This port should be filtered by the host firewall (like
iptables) to prevent the host network stack from interfering with arriving
packets.</p></li>
<li><p><code>--adapter-mac &lt;mac-address></code>: send packets using this as the source MAC
address. If not specified, then the first MAC address bound to the network
interface will be used.</p></li>
<li><p><code>--router-mac &lt;mac address></code>: send packets to this MAC address as the
destination. If not specified, then the gateway address of the network
interface will be ARPed.</p></li>
<li><p><code>--ping</code>: indicates that the scan should include an ICMP echo request.
This may be included with TCP and UDP scanning.</p></li>
<li><p><code>--exclude &lt;ip/range&gt;</code>: blacklist an IP address or range, preventing it
from being scanned. This overrides any target specification, guaranteeing
that this address/range won't be scanned. This has the same format
as the normal target specification.</p></li>
<li><p><code>--excludefile &lt;filename></code>: reads in a list of exclude ranges, in the same
target format described above. These ranges override any targets,
preventing them from being scanned.</p></li>
<li><p><code>--append-output</code>: causes output to append to file, rather than
overwriting the file.</p></li>
<li><p><code>--iflist</code>: list the available network interfaces, and then exits.</p></li>
<li><p><code>--retries</code>: the number of retries to send, at 1 second intervals. Note
that since this scanner is stateless, retries are sent regardless if
replies have already been received.</p></li>
<li><p><code>--nmap</code>: print help aobut nmap-compatibility alternatives for these
options.</p></li>
<li><p><code>--pcap-payloads</code>: read packets from a libpcap file containing packets
and extract the UDP payloads, and associate those payloads with the
destination port. These payloads will then be used when sending UDP
packets with the matching destination port. Only one payload will
be remembered per port. Similar to <code>--nmap-payloads</code>.</p></li>
<li><p><code>--nmap-payloads &lt;filename></code>: read in a file in the same format as
the nmap file <code>nmap-payloads</code>. This contains UDP payload, so that we
can send useful UDP packets instead of empty ones. Similar to
<code>--pcap-payloads</code>.</p></li>
<li><p><code>--open-only</code>: report only open ports, not closed ports.</p></li>
<li><p><code>--output-format &lt;fmt></code>: indicates the format of the output file, which
can be <code>xml</code> or <code>binary</code>. The option <code>--output-filename</code> must be
specified.</p></li>
<li><p><code>--output-filename &lt;filename></code>: the file which to save results to. If
the parameter <code>--output-format</code> is not specified, then the default of
<code>xml</code> will be used.</p></li>
<li><p><code>--pcap &lt;filename></code>: saves received packets (but not transmitted
packets) to the libpcap-format file.</p></li>
<li><p><code>--packet-trace</code>: prints a summary of those packets sent and received.
This is useful at low rates, like a few packets per second, but will
overwhelm the terminal at high rates.</p></li>
<li><p><code>--pfring</code>: force the use of the PF_RING driver. The program will exit
if PF_RING DNA drvers are not available.</p></li>
<li><p><code>--resume-index</code>: the point in the scan at when it was paused.</p></li>
<li><p><code>--resume-count</code>: the maximum number of probes to send before exiting.
This is useful with the <code>--resume-index</code> to chop up a scan and split
it among multiple instances, though the <code>--shards</code> option might be
better.</p></li>
<li><p><code>--shards &lt;x>/&lt;y></code>: splits the scan among instances. <code>x</code> is the id
for this scan, while <code>y</code> is the total number of instances. For example,
<code>--shards 1/2</code> tells an instance to send every other packet, starting
with index 0. Likewise, <code>--shards 2/2</code> sends every other packet, but
starting with index 1, so that it doesn't overlap with the first example.</p></li>
<li><p><code>--rotate &lt;time></code>: rotates the output file, renaming it with the
current timestamp, moving it to a separate directory. The time is
specified in number of seconds, like "3600" for an hour. Or, units
of time can be specified, such as "hourly", or "6hours", or "10min".
Times are aligned on an even boundary, so if "daily" is specified,
then the file will be rotated every day at midnight.</p></li>
<li><p><code>--rotate-offset &lt;time></code>: an offset in the time. This is to accomodate
timezones.</p></li>
<li><p><code>--rotate-dir &lt;directory></code>: when rotating the file, this specifies which
directory to move the file to. A useful directory is <code>/var/log/masscan</code>.</p></li>
<li><p><code>--seed &lt;integer></code>: an integer that seeds the random number generator.
Using a different seed will cause packets to be sent in a different
random order. Instead of an integer, the string <code>time</code> can be specified,
which seeds using the local timestamp, automatically generating a
differnet random order of scans.</p></li>
<li><p><code>--regress</code>: run a regression test, returns '0' on success and '1' on
failure.</p></li>
<li><p><code>--ttl &lt;num></code>: specifies the TTL of outgoing packets, defaults to 255.</p></li>
<li><p><code>--wait &lt;seconds></code>: specifies the number of seconds after transmit is
done to wait for receiving packets before exiting the program. The default
is 10 seconds. The string <code>forever</code> can be specified to never terminate.</p></li>
<li><p><code>--offline</code>: don't actually transmit packets. This is useful with
a low rate and <code>--packet-trace</code> to look at what packets might've been
transmitted. Or, it's useful with <code>--rate 100000000</code> in order to
benchmark how fast transmit would work (assuming a zero-overhead
driver). PF_RING is about 20% slower than the benchmark result from
offline mode.</p></li>
<li><p><code>-sL</code>: this doesn't do a scan, but instead creates a list of random
addresses. This is useful for importing into other tools. The options
<code>--shard</code>, <code>--resume-index</code>, and <code>--resume-count</code> can be useful with
this feature.</p></li>
</ul>


<h2 id="CONFIGURATION-FILE-FORMAT">CONFIGURATION FILE FORMAT</h2>

<p>The configuration file uses the same parameter names as on the
commandline, but without the <code>--</code> prefix, and with an <code>=</code> sign
between the name and the value. An example configuration file
might be:</p>

<pre><code># targets
range = 10.0.0.0/8,192.168.0.0/16
range = 172.16.0.0/14
ports = 20-25,80,U:53
ping = true

# adapter
adapter = eth0
adapter-ip = 192.168.0.1
router-mac = 66-55-44-33-22-11

# other
exclude-file = /etc/masscan/exludes.txt
</code></pre>

<p>By default, the program will read default configuration from the file
<code>/etc/masscan/masscan.conf</code>. This is useful for system-specific settings,
such as the <code>--adapter-xxx</code> options. This is also useful for
excluded IP addresses, so that you can scan the entire Internet,
while skipping dangerous addresses, like those owned by the DoD,
and not make an accidental mistake.</p>

<h2 id="CONTROL-C-BEHAVIOR">CONTROL-C BEHAVIOR</h2>

<p>When the user presses <var>ctrl-c</var>, the scan will stop, and the current
state of the scan will be saved in the file 'paused.conf'. The scan
can be resumed with the <code>--resume</code> option:</p>

<pre><code># masscan --resume paused.conf
</code></pre>

<p>The program will not exit immediately, but will wait a default of 10
seconds to receive results from the Internet and save the results before
exiting completely. This time can be changed with the <code>--wait</code> option.</p>

<h2 id="SIMPLE-EXAMPLES">SIMPLE EXAMPLES</h2>

<p>The following example scans all private networks for webservers, and prints
all open ports that were found.</p>

<pre><code># masscan 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 -p80 --open-only
</code></pre>

<p>The following example scans the entire Internet for DNS servers, grabbing
their versions, then saves the results in an XML file.</p>

<pre><code># masscan 0.0.0.0/0 --excludefile no-dod.txt -pU:53 --banners --output-filename dns.xml
</code></pre>

<p>You should be able to import the XML into databases and such.</p>

<h2 id="ADVANCED-EXAMPLES">ADVANCED EXAMPLES</h2>

<p>Let's say that you want to scan the entire Internet and spread the scan
across three machines. Masscan would be launched on all three machines
using the following command-lines:</p>

<pre><code># masscan 0.0.0.0/0 -p0-65535 --shard 1/3
# masscan 0.0.0.0/0 -p0-65535 --shard 2/3
# masscan 0.0.0.0/0 -p0-65535 --shard 3/3
</code></pre>

<h2 id="COMPATIBILITY">COMPATIBILITY</h2>

<p>While not listed in this document, a lot of parameters compatible with
<code>nmap</code> will also work.</p>

<h2 id="SEE-ALSO">SEE ALSO</h2>

<p><span class="man-ref">nmap<span class="s">(8)</span></span>, <span class="man-ref">pcap<span class="s">(3)</span></span></p>

<h2 id="AUTHORS">AUTHORS</h2>

<p>This tool was written by Robert Graham. The source code is available at
https://github.com/robertdavidgraham/masscan.</p>


  <ol class='man-decor man-foot man foot'>
    <li class='tl'></li>
    <li class='tc'>September 2013</li>
    <li class='tr'>masscan(8)</li>
  </ol>

  </div>
</body>
</html>