Skip to content


This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.

It’s input/output is similar to nmap, the most famous port scanner. When in doubt, try one of those features.

Internally, it uses asynchronous tranmissions, similar to port scanners like scanrand, unicornscan, and ZMap. It’s more flexible, allowing arbitrary port and address ranges.

Usage and Options 

Target speficication 

# Target specification

# Exclude IP file
masscan –excludeFile <file>

# Exclude a single IP from the scan
masscan –exclude=

Port specification 

# Port specification
masscan -p 80
masscan -p 0-65535
masscan -p 80,443

# UDP Scan
masscan -pU 53

Timing and Performance 

# Used to scan in offline mode
# It does not send any traffic but just estimate the time length
masscan –offline

# Using the rate to send X packets per second
masscan –rate 10000

# Get banners from services (only few protocols supported)
# Problem is that masscan uses his own TCP/IP stack so when the local system
# received a SYN-ACK from the probed target, it responds with a TST packet that
# kills the connection before the banner information can be grabbed.
# You can use –source-ip to assign another IP to prevent
masscan –banners

# Assign masscan to another IP
masscan –source-ip

# Include a ping
masscan –ping

# Change the default user agent
masscan –http-user-agent <user-agent>

# Report only open ports
masscan –open-only

# Save sent packet in PCAP
masscan –pcap <filename>

# Print packets in terminal (ok in low rate but RIP terminal with high rates)
masscan –packet-trace


# Output in binary mode
massscan -p 80 -oB <filename>

# Output in XML format
massscan -p 80 -oX <filename>

# Output in grepable format
massscan -p 80 -oG <filename>

# Output in JSON format
massscan -p 80 -oJ <filename>

# Output in simple list format
massscan -p 80 -oL <filename>

# Read a binary output and writes it to the console
masscan –readscan bin-test.scan

# Read a binary scan and convert it to another format
masscan –readscan bin-test.scan -oX bin-test.xml

Complete commands 

# Quick port identification
# – Subnet target
# – Port range
# – High speed
masscan -p 0-65535 –rate 1000000 –open-only –http-user-agent \
“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0″\
 -oL “output.txt”

# Multiple targets specific scan
# – Known ports
# – Fast rate 100.000
# – Banner grabbing and another source IP
# – Only open ports
# – Modified user-agent
masscan <target1> <target2> <target3> -p 80,433 –rate 100000 –banners –open-only\
–http-user-agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0″\
–source-ip -oL “output.txt”

# TOP 20 ports scanning
# Modified user-agent
# Medium speed
masscan <target> -p 21,22,23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080\
–http-user-agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0″\
–rate 100000 –oL “output.txt”

# In some cases, masscan can be better than nmap
# For example, when searching for a big range on some ports only
# (Internal pentest for example) you can do multiple iterations of scans
# XML output are interesting for db_import in metasploit
sudo masscan <target/16> -p 22 –rate 2000 -oX output_port_22.xml