EN
ENNA

Getting Started Guide

How to Install and Use Masscan

This guide covers installing Masscan, running fast port scans across large IP ranges, and piping results into Nmap for detailed analysis.

Prerequisites

  • -Linux or macOS
  • -Root/sudo access (required for raw packet sending)
  • -A target range you have permission to scan
Official Documentation
1

Install Masscan

Install from package manager or build from source for the latest version.

Debian/Ubuntu

sudo apt install masscan

macOS

brew install masscan

Verify

masscan --version
2

Run a Basic Scan

Scan common ports across a target range. Masscan requires root because it sends raw packets.

Top ports on a /24

sudo masscan 192.168.1.0/24 -p 22,80,443,445,3389 --rate=1000

Example output

Discovered open port 22/tcp on 192.168.1.10
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 443/tcp on 192.168.1.50

Note: The --rate flag controls packets per second. 1000 is conservative. Masscan can do 10 million pps but that will overwhelm most networks - start low.

3

Scan Large Ranges

Masscan's strength is speed across large IP ranges. Scan entire subnets in seconds.

Full /16 for web servers

sudo masscan 10.0.0.0/16 -p 80,443 --rate=10000

Multiple port ranges

sudo masscan 10.0.0.0/16 -p 0-1023 --rate=5000

Exclude ranges

sudo masscan 10.0.0.0/8 -p 22 --rate=10000 --excludefile exclude.txt

Note: Always maintain an exclude file for IP ranges you must not scan (shared infrastructure, out-of-scope assets). One wrong scan can end an engagement.

4

Save Output for Nmap

The classic workflow: Masscan finds open ports fast, then Nmap does detailed service detection on the results.

Save as list

sudo masscan 192.168.1.0/24 -p 1-65535 --rate=1000 -oL results.txt

Save as XML (Nmap compatible)

sudo masscan 192.168.1.0/24 -p 1-65535 --rate=1000 -oX results.xml

Parse and feed to Nmap

sudo masscan 192.168.1.0/24 -p 1-65535 --rate=1000 -oG results.gnmap
grep open results.gnmap | awk '{print $2}' | sort -u > live-hosts.txt
nmap -sV -iL live-hosts.txt
5

Banners and Service Detection

Masscan can grab basic banners from services it discovers.

Banner grabbing

sudo masscan 192.168.1.0/24 -p 80,443,22 --rate=1000 --banners

With source port (bypass some firewalls)

sudo masscan 192.168.1.0/24 -p 80,443 --rate=1000 --banners --source-port 61000

Note: Masscan's banner grabbing is basic compared to Nmap's service detection, but it's much faster for initial triage. Use it to identify what's there, then follow up with Nmap for detail.

Back to MasscanFull Documentation