search

robertdavidgraham / masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
GNU Affero General Public License v3.0
23.08k stars 3.03k forks source link

Nmap-Payloads #587

Open JmFoces opened 3 years ago

JmFoces commented 3 years ago

Hi!

The first, thank you for such nice project.

I've been playing around with nmap payloads and detected some behaviors that could be improved. I would try to fix this by myself. I'll post a pull request when have some freetime.

1º Sends just the last payload. I'm not completely sure if nmap behaves this way. File example: cat < /tmp/nmp1 udp 443 "Payload 1" udp 443 "Payload 2" EOF

masscan -Pn -dv --banners --nmap-payloads /tmp/nmp1 -p U:443 x.y.z.p Just sends payload2

2º Lines ending with comments trigger errors during parse: cat < /tmp/nmp2 udp 443 "Payload 1" udp 443 "Payload 2" # comment EOF

sudo masscan --retries 0 -n -Pn -dv --banners --nmap-payloads /tmp/nmp2 -p U:443 x.y.z.p /tmp/nmp2:2: syntax error, expected "udp".

3º Given a valid nmap-payloads if --retries > 1 masscan sends a lot of repeated packets. sudo masscan --retries 2 -n -Pn -dv --banners --nmap-payloads /tmp/nmp1 -p U:443 x.y.z.p

sudo masscan --packet-trace --retries 2 -n -Pn -dv --banners --nmap-payloads /tmp/nmp1 -p U:443 x.y.z.1 [+] pcap: found library: libpcap.so [+] interface = eno1 [+] if(eno1): pcap: libpcap version 1.10.0 (with TPACKET_V3) [+] if(eno1): successfully opened [+] interface-type = 1 if:eno1: type=ethernet(1) [+] source-mac = [+] source-ip = x.y.z.26 [+] router-ip = x.y.z.1 SENT (0.0199) ARP [x.y.z.26] > [x.y.z.1] request [+] arp: x.y.z.1 == [+] router-mac-ipv4 = Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-05-08 07:47:24 GMT Initiating SYN Stealth Scan Scanning 1 hosts [1 port/host] [+] starting transmit thread #0 [+] starting throttler: rate = 100.00-pps [+] starting receive thread #0 SENT (0.0321) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
[+] waiting for threads to finish SENT (0.1322) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1323) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1323) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1324) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1324) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1324) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1324) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1325) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1325) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1325) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1422) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1521) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1621) UDP [x.y.z.26]:40044 > [x.y.z.1]:443
SENT (0.1721) UDP [x.y.z.26]:40044 > [x.y.z.1]:443 ...

That's all I've found. I'm using Debian Bullseye version: Package: masscan Version: 2:1.3.2+ds1-1

Thanks again for the tool and have a good day!

mikehardenize commented 1 year ago

nmap sends both payloads in parallel. Masscan only sends the last. I've been using the nmap-payloads file from https://github.com/ParrotSec/nmap/blob/master/nmap-payloads which has two UDP port 123 payloads. I've noticed that a network I scan will only detect port 123 UDP as open if I comment out the second UDP port 123 payload from that file.

Can masscan be updated to send multiple payloads?