Follow along to stealth scan using the masscan command:

1. The masscan utility is an extraordinarily fast port scanner. To see the masscan help file, the masscan command should be called with the -h option, as follows:

2. The makers of masscan did their best to make the usage similar to Nmap. To see masscan usage options, call the masscan command followed by the --nmap option, as follows:

3. When using masscan instead of nmap, you can think of it as if the -sS flag were permanently set. So we do not need to tell it we are doing a stealth scan. One difference between masscan and nmap is there are no default ports set, so we must define what ports we want to check. A masscan scan will use the masscan command, the IP address of the host to be scanned, and -p (port/s) to be scanned, as follows:

4. In the example provided, a SYN scan was performed on the TCP port 80 of the specified IP address. Similar to the technique explained with Nmap, masscan listens for a response and identifies the open ports by analyzing the TCP flags that are activated in any responses received. We can also use the masscan command to perform scans on multiple specified ports by passing a comma-delimited list of port numbers, as follows:

5. In the example provided, a SYN scan was performed on the ports 21, 80, and 443 of the specified target IP address. We can also use Nmap to scan a sequential series of hosts by indicating the first and last port numbers to be scanned, separated using dash notation:

6. If a scan is to be performed on all possible TCP ports, all of the possible port address values need to be scanned. The portions of the TCP header that define the source and destination port addresses are both 16 bits in length. Moreover, each bit can retain a value of 1 or 0. As such, there are 2¹⁶, or 65,536, possible TCP port addresses. For the total possible address space to be scanned, a port range of 0 to 65535 needs to be supplied, as follows:

7. In the example provided, all of the 65,536 possible TCP addresses were scanned on the Metasploitable2 system. A full scan is always best practice when attempting to identify all of the possible attack surface on a target. The masscan command can also be used to scan TCP ports on a sequential series of hosts using dash notation:

8. In the example provided, a SYN scan of the TCP port 80 was performed on all of the hosts within the range of addresses specified. Although this particular scan was only performed on a single port, masscan also has the ability to scan multiple ports and ranges of ports on multiple systems simultaneously. Additionally, masscan can also be configured to scan hosts based on an input list of IP addresses. This can be done using the -iL option and then specifying either the filename, if the file exists in the execution directory, or the path of the file. The masscan utility then cycles through each address in the input list and performs the specified scan against that address: