Using Masscan to Find Open Ports Quickly

Using Masscan to Find Open Ports Quickly

Masscan has been around for some time now and already it’s in use by pentesters all around. It’s a reconnaissance tool which can transmit up to 10 million packets per second. It uses asynchronous transmission & a custom TCP/IP stack. So different threads are used for transmission & reception of packets.

It is the best tool to enumerate and find open ports on a large number of hosts on the network or the internet very quickly. Another use of Masscan can be in stress testing due to its high transmission rate.

But special drivers(PF_RING) & NICs are needed to achieve those high rates. One aspect which makes this a convenient tool is that it interacts with the user very similarly to the style of Nmap.


  • Ultra Fast port scanning: Transmits up to 10M packets/sec ( Capable- NIC & PF_RING Drivers required)
  • Nmap style output
  • Nmap style target specification and options
  • Banner grabbing
  • Basic Vulnerability Scanning like Heartbleed
  • Custom TCP/IP stack


  • It can be used as a first level recon tool to map the network
  • Enumerate a large no of hosts
  • Enumerate various subnets inside an organization
  • Enumerating the internet!
  • Random scanning for FUN & Knowledge!


Now for the installation part, Masscan comes pre-installed in the latest version of Kali Linux and can be used directly from the terminal. If you are not using the latest version of Kali Linux then you will need to install it manually guide to the process can be found over here.

After installation, we can check if Masscan is installed correctly or not we can do that by running this command.

Command: masscan --regres


masscan installation test

Now what you can do is run Masscan on your local machine to test it. From those test, you can clearly get an idea about the performance of this tool.

Command: masscan -p80 --rate 100 --offline

masscan local scan

You can clearly see the time that it will take to scan the local subnet with the rate of 100 packets/sec now if we change that to something like 1000000 and see what we get.

masscan local rate

You can clearly see the time difference in both scans running a local scan will not give us anything of use.

Note: Don’t forget to include the –offline option or else you will be screwed.

Now you can also use it to scan online targets and there are many filters available in the tool that you can use.

Let’s scan yahoo host to find open ports.

You can also save your scan results in XML format.

Command: masscan -p80,443 -oX google.xml

There are many things that you can do with the tools.

Pausing & Resuming a Scan

Suppose you have a very big subnet to scan and you need to pause the scan for some other purposes, masscan automatically pauses the scan when you do a “Cntrl + C”. Also, you can resume from it whenever you want.

Command: masscan<replace with yours> -p22,23,80,443<replace with the ports you want> -v --rate=1000 -oX output.xml

To resume,

Command: masscan --resume paused.conf


It is a great tool for network pentesters and info-secs to test a network as quickly as they can and also test if there is some kind of protection in place for load balancing or stress handling.


Masscan Homepage

Man Pages

Defcon Talk



Please enter your comment!
Please enter your name here