What does HackerNews think of masscan?
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
It can scan the entire Internet in 5 minutes and has received a lot of press. https://rushter.com/blog/how-masscan-works/ is one of many articles about how it works.
Source Code: https://github.com/robertdavidgraham/masscan
Article from PoC || GTFO with more internal details on how it works: https://www.alchemistowl.org/pocorgtfo/pocorgtfo15.pdf (Page 66) [Note: PDF is both a valid PDF + valid ZIP file with source code]
https://github.com/robertdavidgraham/masscan
Note that "scan the internet in 6 minutes" only means this tool is capable of generating packets fast enough on the host machine to theoretically do a 6 minute scan. In practice, the NIC, home network, and local ISP connection will bottleneck and the scan will be orders of magnitude slower.
I don't buy it. Scanning the whole IPv4 internet including all ports is not all that costly. Perhaps the effort would deter your proverbial script kiddie running a scan from home, but are those really a threat to your SSH setup?
You'd still be advised to disable password-based auth and/or configure fail2ban, though.
From there it would keep a session open on each host and allow you to run commands on a single host, a subset of hosts, or all hosts.
The advantage of this over hydra or some other SSH brute forcer is that it allows us to run our persistence tooling right away after finding a login and keep that SSH session alive so we can re-use it even if the password is changed.
The code is a tire fire, but it worked well for what we needed :)
There was a rather scary talk by Lukas Lundgren at defcon 2016 on unauthenticated MQTT[0][1] ... the things he found exposed were just insane. He also used MASSCAN[2], a phenomenal tool, which isn't just useful to probe endpoints but also to actually send payloads (with all its performance/speed benefits).
[0] https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pre...
it will be attacked within minutes, you should start a honeypot and see for yourselves
[0]:https://zmap.io/ [1]:https://github.com/robertdavidgraham/masscan [2]:https://memcachedscan.shadowserver.org/
See for example: https://github.com/robertdavidgraham/masscan
note that doing this is a very good way to get angry letters from your ISP
The example in the article found a single core handling 1.4M packets per second. If you're running a web-server shoveling data out to clients those packets are going to be close to the maximum size which, if I haven't screwed up the math, looks something like this:
1.4M * 1400 bytes (assuming a low MTU) * 8 (bytes -> bits) = 15Gbps
That's not to say that there isn't still plenty of room to improve and, as lukego noted, there's a lot of work in progress (see e.g. https://lwn.net/Articles/615238/ on work to batch operations to avoid paying some of the processing costs for every packet) but for the average server you'd find bottlenecks on something like a database, application logic, request handling, client network capacity, etc. before the network stack overhead is your greatest challenge. The people who encounter this tend to be CDN vendors like CloudFlare and security people who need to filter, analyze, or generate traffic on levels which are at least the the scale of a large company (e.g. https://github.com/robertdavidgraham/masscan).
masscan -p27017 0.0.0.0/0 --excludefile data/exclude.conf
@collinrm I just took masscan, changed the HTTP request,
then tweeked the code to generate a small TTL.