The private IP space defined by RFC 1918 contains almost 18 million IP addresses. A customer was interested in having me do host discovery on this entire space for their private IP space. This is interesting data for network owners because it:

  • Increases awareness to the size of the network attack surface, such as the number of accessible hosts and services
  • Can help identify unknown and unexpected devices/services that can then be disabled to strengthen the security posture
  • Supplements and validates existing inventory metrics
  • Helps scope upcoming network and penetration tests

The freely available masscan tool seemed like the perfect solution, and it comes pre-installed on Kali Linux, which is handy. Masscan is advertised as “the fastest port scanner” sending packets asynchronously. It can “scan the entire internet in under 6 minutes.”

Well, we’re not going to do that here; we are just going to see what we can do with it right from your average Kali Linux install on your average computer.

Masscan has an option for how many packets/second to send. If you choose an option that is too high for your system to handle, you will lose some of the results. To decide a reasonable number that my system could handle while still completing the scan within the timeframe of the engagement, I did a little experimentation by running masscan, like this:

masscan -p80,23,443,21,22,25,3389,110,445,139 192.168.0.0/20

This scans the Nmap top 10 ports in this case on 4,096 hosts.

The default packet rate for masscan is 100 packets/second. I ran the scan again at 200, 400, 800 and then 1000 packets/second. The results were the same every time, so it seemed that 1000 packets/second was acceptable. (This was a laptop with Kali installed, not virtualized)

At 1000 packets/second, the calculations showed that I could scan all of the RFC 1918 addresses in a reasonable amount of time, so I ran these four scans starting the next after the previous one finished:

masscan -p80,23,443,21,22,25,3389,110,445,139 10.0.0.0/9 –rate 1000 -oL 10.0.0.0-9.txt

masscan -p80,23,443,21,22,25,3389,110,445,139 10.128.0.0/9 –rate 1000 -oL 10.128.0.0-9.txt

masscan -p80,23,443,21,22,25,3389,110,445,139 172.16.0.0/12 –rate 1000 -oL 172.16.0.0-12.txt

masscan -p80,23,443,21,22,25,3389,110,445,139 192.168.0.0/16 –rate 1000 -oL 192.168.0.0-16.txt

Each scan completed in the time indicated below:

23.4 hours
23.1 hours
3.2 hours
11 minutes

A very acceptable solution completed in less than 2.5 days. All in all, over 19000 unique hosts were found to have at least one open port. Thank you, masscan!

What next? How about feed the scan output into the Eyewitness tool, grabbing a quick screenshot of all web applications?

You may be surprised what is out there on your network that could be used against you. Knowledge is power, and masscan can help you become more knowledgeable about what’s on your network.

 

carrie robertsAbout the Author: Carrie Roberts is a Security Analyst at Black Hills Information Security (BHIS), and regularly contributes to the BHIS blog. You can also follow Carrie on Twitter here.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.