search

robertdavidgraham / masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
GNU Affero General Public License v3.0
23.43k stars 3.06k forks source link

No results found even though RST-ACK packets received #116

Open zbuc opened 10 years ago

zbuc commented 10 years ago

I was playing around with masscan against my local network and noticed that it kept saying "found: 0"... hm, I know there are boxes with SSH running, HTTP, etc. on this network...

I enabled debug mode and it looks like it's getting RST-ACK packets back but not correctly aggregating the results. Or I'm doing something wrong.

Config:

$ sudo ./masscan 192.168.123.0/24 -p0-65535 -oX scan.xml --max-rate 100000 --source-ip=192.168.123.181 --adapter=en0 --echo
rate =  100000.00
randomize-hosts = true
seed = 12634917884878470112
shard = 1/1
# ADAPTER SETTINGS
adapter = en0
adapter-ip = 192.168.123.181
adapter-mac = 00:00:00:00:00:00
router-mac = 00:00:00:00:00:00
# OUTPUT/REPORTING SETTINGS
output-format = xml
show = open,,
output-filename = scan.xml
rotate = 0
rotate-dir = .
rotate-offset = 0
rotate-filesize = 0
pcap =
# TARGET SELECTION (IP, PORTS, EXCLUDES)
ports = 0-65535
range = 192.168.123.0/24

capture = cert
nocapture = html
nocapture = heartbleed

min-packet = 60

Invocation:

$ sudo ./masscan 192.168.123.0/24 -p0-65535 -oX scan.xml --max-rate 100000 --source-ip=192.168.123.181 --adapter=en0 -dddddddddd
initializing adapter
family=18, type=6
auto-detected: adapter-mac=3c-15-c2-dc-f8-ca
pcap: libpcap version 1.3.0 - Apple version 41
pcap:'en0': opening...
pcap:'en0': successfully opened
rawsock: ignoring transmits
rawsock: initialization done
rawsock: looking for default gateway
auto-detected: router-ip=192.168.123.1
auto-detected: router-mac=DE-AD-BE-EF-00-00
adapter initialization done.
xmit: starting transmit thread #0
recv: start receive thread #0
maxrate = 100000.00
xmit: starting main loop: [0..16777216]
begin receive thread

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-09-25 21:23:25 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [65536 ports/host]
192.168.123.1  : 5600: -> TCP ackno=0x92c48eb6 flags=0x14(rst-ack)
192.168.123.1  :61014: -> TCP ackno=0xb3626b14 flags=0x14(rst-ack)
192.168.123.1  :55273: -> TCP ackno=0xdb96689a flags=0x14(rst-ack)

continues with execution and produces a 0-byte xml file.

Any ideas?

2xyo commented 10 years ago

Did you try the iptables workaround ?

iptables -A INPUT -p tcp --dport 60000 -j DROP masscan 10.0.0.0/8 -p80 --banners --source-port 60000

zbuc commented 10 years ago

I thought that workaround/firewall change was only needed when checking for banners, but I tried it anyways...

I'm on OS X so I ran

$ sudo ipfw add 1 deny tcp from any to any 60000 in
$ sudo ./masscan 192.168.123.0/24 -p0-65535 -oX scan.xml --max-rate 100000 --source-ip=192.168.123.181 --adapter=en0 --source-port 60000 --banners

still no results :(

lukebeer commented 10 years ago

Set your --max-rate to 1000 and it'll probably work

At a guess, your home switch/router can't handle the rate and is simply dropping them. With that rate, en0 will ship them out.