【Try to Hack】masscan

Blog home page ： Happy star The blog home page of
Series column ：Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time ：2022 year 6 month 23 Japan
The author's level is very limited , If an error is found , Please let me know , thank ！

The content of the article comes from the Internet , Only for your own study

masscan sketch

masscan Known as the world's fastest scanning software , Can be in 3 Scan the entire Internet port in minutes , But this is conditional 4 Nuclear computer , Dual port 10G network card .
Scan the whole Imternet The authority of the Ministry of Defense , Don't scan the Internet easily .
masscan 0.0.0.0/0 -p0-65535 Scan the whole network

Why? masscan Than nmap Much faster

Asynchronous transmission is adopted 、 Stateless scanning mode ( Asynchronous transmission means that the scanner does not have to wait for a reply after sending a probe packet ).

nmap Need record tcp/ip The state of , and OS manageable tcp/ip The maximum number of links is only 1500 about ;masscan It is not established completely tcp Link way , Upon receipt of SYN/ACK after , Direct transmission RST End link （RST Indicates reset , The link used to end the closing exception ）. attach ：--banner With the exception of

Common parameters

1、 Quick scan , By default ,Masscan The scanning speed is... Per second 100 A packet , It's quite slow . To add this , Just provide the --rate Option and specify a value .

scanning 100 Common ports B Class subnet , Per second 2000 A packet
masscan 192.168.0.0/16 --top-ports 100 --rate 2000

2、 The scan results are saved
-oX test.xml
-oJ test.json
-oL test.list

masscan 192.168.0.0/16 -p80 -oX test.xml

3、 obtain banner Information , Support a small number of protocols
--banners

4、 Specify and exclude targets

--exclude <ip/range> IP Address range blacklist , prevent masscan scanning
--excludefile <filename> Appoint IP Address range blacklist file
--includefile,-iL <filename> Read a range list for scanning
--adapter-ip Specify the contract ip Address
--adapter-port Specify the source port for sending packets
--adapter-mac Specify the source of the contract MAC Address
--router-mac Specify the gateway MAC Address
--wait Specify the waiting time after contract awarding

masscan -p 0-65535 -iL test.txt --rate=2000

Scan the whole network , You can set the blacklist to make the scanner ignore some network segments when scanning .
masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt -oJ res.json --max-rate 100000

5、 Host survival scan
--ping
masscan –-ping 192.168.88.132/24 --rate 1000

nmap and masscan In combination with

First use masscan After fast port scanning ,masscan After scanning, a json file , Then extract relevant port information from it . Reuse nmap Perform a detailed scan , Identify the service corresponding to the port .

github Address

# -*- coding: utf-8 -*-
#  The first run 2 or 3 Concurrent Masscan Mission , be-all 65535 The ports are divided into 4-5 Smaller ranges ;
#  Get the host list and Masscan Combo list of scanned open ports ;
#  Use these lists as Nmap Scan the target and perform routine Nmap scanning .

import subprocess
# import pysnooper
import threading
import os
import nmap
import argparse
import re
import json
from IPy import IP

iolock = threading.Lock()
class Task:
    def __init__(self,ip,ports_list):
         self.ip=ip
         ports_list.sort()
         self.ports=','.join([str(x) for x in ports_list])

class Mas_Scanner(threading.Thread):  
    def __init__(self,task_list):
        threading.Thread.__init__(self)
        self.task_list=task_list
        self.result={
    }
    
    # @pysnooper.snoop()
    def analyze(self,data,ip):#analyze and add task scan result to scanner result
        ports_list=[]
        for line in data.split('\n'):
            if line!='':
                port = line.split()[3] # xx/tcp
                port = port.split('/')[0] 
                ports_list.append(port)

        if ip in self.result:
            self.result[ip]=self.result[ip]+ports_list
        else:
            self.result[ip]=ports_list

        if ports_list !=[]:
            iolock.acquire()
            print('find ports on host:',ip,':')
            print(ports_list)
            iolock.release()

    # @pysnooper.snoop()
    def start_task(self,task): #one task scan only one ip with different ports
        iolock.acquire()
        print("masscan scanning ip:",task.ip)
        iolock.release()
        cmd = 'masscan {ip} -p{ports} --wait 0 --rate 1500'.format(ip=task.ip,ports=task.ports)
        proc = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
        proc.wait()
        stdoutdata=proc.stdout.read().decode('UTF-8')
        stderrdata = proc.stderr.read().decode('UTF-8')
        # print(stdoutdata)
        self.analyze(stdoutdata,task.ip)
    
    def run(self):
        for task in self.task_list:
            self.start_task(task)
        # p = subprocessPopen(cmd,)

# for namp scanner, a task inlude one ip with its all ports
class Nmap_Scanner:
    def __init__(self,task_list):
        self.task_list = task_list
        self.result={
    }


    def start_task(self,task):
        print('start determine service/version of ports on host:',task.ip)
        nm = nmap.PortScanner()
        nm.scan(hosts=task.ip,ports=task.ports,arguments='-T4 -sV -Pn -sS',sudo=True)
        # if task.ip in nm:
        self.result[task.ip]=nm[task.ip]
        # else:
            # self.result[task.ip]=None

    def print_scan_result(self):
        for ip in self.result:
            print('----------------------------------------------------')
            print('Host : {}'.format(ip))
            print('--------------------')
            ports_dict = sorted(self.result[ip]['tcp'])
            for port in ports_dict:
                portinfo=self.result[ip]['tcp'][port]
                str_buffer = 'port : {port}\tstate : {state}\t{name} {product} {version}'.format(port=port,
                                                                                               state=portinfo['state'],
                                                                                               name=portinfo['name'],
                                                                                               product=portinfo['product'],
                                                                                               version=portinfo['version'])
                print(str_buffer)
    def output_file(self,filename):
        json_data = {
    }
        for ip in self.result:
            ports_dict = sorted(self.result[ip]['tcp'])
            json_data[ip]={
    }
            for port in ports_dict:
                portinfo=self.result[ip]['tcp'][port]
                json_data[ip][port] = {
    
                    'state':portinfo['state'],
                   'name':portinfo['name'],
                   'product':portinfo['product'],
                   'version':portinfo['version']
                   }
        with open(filename, 'w') as f:
            json.dump(json_data, f)

    def run(self):
        for task in self.task_list:
            self.start_task(task)

# @pysnooper.snoop()
def split_task(ip): #split ports range in 5 pieces and return a list
    if not re.match(r'\d+\.\d+\.\d+.\d+', ip):
        raise Exception("Invalid IP format: '"+ip+"'")
    ports_list = [str(x) for x in range(1,65536)]
    n = int(65535/5)
    task_list = []
    for x in range(5):
        list_ = ports_list[n*x:n*x+n]
        task = Task(ip,list_)
        task_list.append(task)
    
    return task_list

    




# @pysnooper.snoop()
def main():
    if os.getuid() != 0:
        print('please run this script with root!')
        exit()


    parser = argparse.ArgumentParser()
    parser.add_argument('host',nargs='?',help='read ip from a file',default=None)
    parser.add_argument('-r','--input',help='read ip from a file')
    parser.add_argument('-c','--cidr',help='scan a range of ip')
    parser.add_argument('-o','--output',help='output filename')
    args = parser.parse_args()
    task_list=[]
    if args.host != None:
        task_list += split_task(args.host)
    if args.input != None:
        f = open(args.input,'r')
        for line in f:
            task_list += split_task(line.replace('\n','').replace('\r',''))
        f.close()
    if args.cidr != None:
        for ip in IP(args.cidr):
            task_list += split_task(ip)

    if task_list==[]:
        print('Please input at least one target!')
        exit()

    masscaner_num = 2
    task_per_scanner = int(len(task_list)/masscaner_num)
    masscanner_list = []

    for x in range(masscaner_num):
        scanner = Mas_Scanner(task_list[x*task_per_scanner:x*task_per_scanner+task_per_scanner])
        masscanner_list.append(scanner)
        scanner.start()

    for scanner in masscanner_list:
        scanner.join()
        
    
    masscan_result = {
    }
    for scanner in masscanner_list:
        for ip in scanner.result:
            if ip not in masscan_result:
                masscan_result[ip]=scanner.result[ip]
            else:
                masscan_result[ip]+=scanner.result[ip]

    print('masscan scan complete:')
    print(masscan_result)
    nmap_task_list = []
    for ip in masscan_result:
        if len(masscan_result[ip])!=0:
            nmap_task_list.append(Task(ip,masscan_result[ip]))

    nm_scanner = Nmap_Scanner(nmap_task_list)
    nm_scanner.run()
    nm_scanner.print_scan_result()
    if args.output !=None:
        nm_scanner.output_file(args.output)


if __name__=='__main__':
    main()