Follow us

How are hackers scanning the whole Internet in just a few minutes?

Masscan is known for super performance in scanning the Internet – let's look at how easy and feasible it is

Updated: October 25, 2021 By Darina Shramko

Fiberoptic with Ethernet connector

Image source - freepik.com

Did you know that you can scan the entire Internet in only 30 minutes or even five? You probably thought I was joking because the Internet is as vast as our Universe. But I am serious − you can obtain any information in a few minutes if you arm yourself with the Masscan tool.

Of course, one can use reconnaissance platforms as an alternative, which doesn't require any configuration and investments in capabilities.

Now imagine how many potential targets are hacked every minute due to a weak security system. Yes, most of the leaks you read about on our site occur precisely because of the disregard for Internet security rules, easy discovery, and enumeration.

But is that really straightforward and easy?

Disclaimer: All information in this article is for informational purposes only. We are against data hacks using the Masscan scanner. We do not support cybercrime, so we urge you to use Linux utilities solely for good purposes.

How did we end up NOT scanning the Internet in 3 minutes?

Scanning from local VM

So let's get straight to the fun part ─ scanning the Internet in a few minutes.

1. After successfully installing the Masscan to our VM with Kali Linux, we started the most exhaustive scan on TCP port 500. This one was just a random one with the purpose of checking the packet's send rate. Actually, we have failed one because Masscan asked me to add some exclusions from the scanning.

Failed probe scanning with Masscan

Yes, we will definitely add everything the program says to us. But I forgot another important attribute for such scanning tests – it is obfuscation of my own IP address.

2. We need to hide our real IP! To be honest, I don't have any favorites for now, but you can check and find out what is the best option for today at our team's best VPN test review.

For the time of writing, I was using VM with installed NordVPN, so I will use it. I am usually using the Kill-switch function to avoid exposure of my real IP address, so it should be already connected, and it is.

Connected to VPN

3. Making required changes into parameters and starting our scanning of the whole Internet!

I am excited to see that “3 minutes global scan” capabilities!

Bad news, we have two problems:

  • the send rate for packets is only 250,000 packets per second (250 kbps),
  • consequently, the scanning time is almost 3 hours instead of 3 minutes.

masscan scanning will be finished in almost 3 hours

I thought it is something wrong with bandwidth, but I still have a buffer on my side as well as on the VPN side. At least 50 Mbit/sec should work, so the problem is not in the bandwidth.

250kpps is equal to 26,8 Mbit/sec

At this point, I had to take a pause and check why this happened.

After searching topic forums and checking performance testing articles, I found out that I am not the only one with this issue.

Running Masscan on any virtual machine will not give more than 250 kpps because of buffer overhead

I didn't expect this and believed all other tests were just done wrongly, but not.

Scanning using Amazon AWS

I have never used AWS services, so I found it very interesting to check available cloud capabilities and their prices. I should say they are pretty interesting if you know how effectively use resources of available instances and assess the time needed to get your goals.

I was checking around and stopped on the following two instances to try:

  • c5n.4xlarge;
  • m5zn.6xlarge.

The instance of EC2 with type c5n.4xlarge has the following available resources:

  • 16 vCPUs
  • 42 GiB RAM
  • network performance up to 25 Gigabit
  • all this costs less than 1 USD per hour on-demand.

EC2 Amazon AWS instance parameters

This is not the most powerful instance, but I wanted to compare it with my local virtual machine.

So, I started the same command as earlier on my local VM, but I will test this time port 554 and set the rate to 10 mpps.

If you remember, I was checking baby monitors with Shodan, so I expected around 4,7 million IP addresses to be discovered.

EC2 Amazon AWS instance running masscan

As one might have seen, this try was already better in terms of performance since I saw 500+kpps in comparison to the previous 250 kpps on a local client.

A quick approximation of our result will give us only about 125 thousand discovered clients with open TCP port 554. This is completely wrong and only about 2,5% of real numbers.

I did few experiments on parameters and also addressed ranges to scan. It makes a difference because of the non-equal density of IP addresses within a specific range. In the following example, the approximation will give about 450 thousand results, and this is four times more than in the previous try.

2,5% of found IP with masscan represents 11388 addresses

You remember, our EC2 instance is currently having up to 25 Gigabit network performance. I decided to change for a more powerful instance.

The instance of EC2 with type m5zn.6xlarge having following available resources:

  • 24 vCPUs
  • 96 GiB RAM
  • network performance up to 50 Gigabit
  • all this costs less than 2 USD per hour on-demand.

It is almost two times more expensive but almost two times more powerful. At least in terms of memory and network, exactly two times performance increase.

EC2 instance with 50Gigabit network performance

As usual, start scanning on TCP port 554.

First, what we can see – the rate of scan is non-typically limited to 500 kpps. It is now 640 kpps. Should I consider it as an improvement?

Let check discovered hosts. Our approximation gives us 370 thousand IP addresses. It is still far from reality.

masscan results of m5zn.6xlarge EC2 instance

After our of tweaking different parameters and almost giving up on it, I made some improvements in results. If I complete the scanning, then it should be about 950 thousand hosts discovered – it is still only 20% of the expected number.

masscan results of m5zn.6xlarge EC2 instance with 950k

No, the quick solution with Amazon didn't help a lot, so I will give up on this task.

How to scan the entire Internet really in a few minutes?

Masscan sends 10 million packets per second so that it can surf the entire Internet in six minutes!

Of course, it all depends on the power of your hardware, but in general, Masscan is truly a professional in the field of data scanning.

Although the default speed of Masscan is limited to 100 packets per second, the tool can accelerate to 25 million packets per second, thereby being able to bypass the entire Internet (one port per IP) in 3 minutes!

To get over 2 million packets per second, you will need:

  • some art of Intel 10 Gbps Ethernet adapter,
  • most likely minimum 100 Mbit Internet connection, and
  • a special driver is known as "PF_RING ZC".

Masscan Features

Image source – one3erver.com

I have to warn you about some of the nuances to consider when scanning.

The fact is that Masscan heavily loads the system, especially the network interfaces, utilizing the entire available channel. If you start scanning without alerting your hosting provider, your actions will resemble a DDoS attack.

Also, scanning the entire Internet can provoke an adverse reaction from the public. In simple words ─ the provider will receive a mountain of automatic letters with complaints that you are engaged in amateur activities.

As you can see, scanning the entire Internet is a complex procedure that requires preparation and adherence to security rules.

I have put together a few guidelines to help you better prepare for the scanning process:

1) Tell your hosting provider about your plans − you need to make sure that the scan will not overload the local network or the provider's routers. If the provider has agreed to support your experiments, go to the second point.

2) Set up a PTR record. Your experiments can trigger automatic scan detection systems. Consequently, these logs will be looked at by system administrators who can draw incorrect conclusions about your activities.

Alternatively, set an informative PTR record for the IP address from which the scan will take place, something like:

scanner-for-experiments.darina-shramko.com

3) Add explanations to User-Agent. For example, if you are making some HTTP requests, install additional explanations in User-Agent. Explain clearly the purpose and scope of the scan so that there are no unnecessary questions.

4) Randomize the addresses. I advise you not to scan networks in a row. This messy scan looks like a negative pattern. Use a random order of target addresses − this way, you minimize suspicion on the part of system administrators and other third-party participants in the process.

Yes, scanning the Internet is not an easy task. However, if you are not embarrassed by such thorough preparation for scanning and still want to curb the Internet ─ write to me, and next time, we will figure out how to use Masscan.

However, Masscan is not only used for research purposes.

In the hands of hackers, the utility becomes a terrible beast, which it is better not to anger. Cybercriminals use a scanner to find open databases and sell them on black forums.

How to protect your systems from being discovered?

There are few basic rules to start with:

1. Disable all non-used services and close non-sense-listening ports on your systems. Those are first exposed to the Internet and discovered by scanning. In the best case, your running systems will reveal their versions and some additional information through the banners. In the worst case, they can be proved on vulnerabilities on the fly without separate checks, so they will be added to the number 1 list of targets as the target of opportunity.

2. Put your systems under a firewall. It should not confuse you. It doesn't mean you need to buy any devices. Many firewall solutions are available as software or virtual appliances and can assure reasonable protection against malicious scanning and probing.

It will not prevent the ports from being discovered but will avoid the leak of important data about the systems behind the firewall itself, thus preventing further exploitation.

Just to mention, many modern SIEMs have the capability to detect massive scanning under specific circumstances.

3. Update your systems! It could sound very naive, but it is true. The use of recently updated software and timely operating system updates are drastically reducing the threat of being hacked. There are many quick and easy ways to protect your system from opportunistic attacks.

Conclusion

The Masscan is not the only scanner in the world definitely.

Is it the fastest one? Most likely, yes, but to check this, you will need some high-performance equipment and an adequate connection to the Internet.

It is quite a powerful tool if you know how to use it and where to use it strong faces.

We will definitely get the maximum of it next time!

Author
Darina Shramko
Cybersecurity specialist and researcher.

Leave a comment

click to select