Provide a default exclude list of 'bad' ip ranges

[reedjones]

Not really a bug or issue but,

In the readme it says:

Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges.

I'm wondering is there any known comprehensive list of 'bad' ip ranges?

I've found a few like this

Just wondering if there is any kind of official/comprehensive list?

[GodlyEcstasy]

Probably not. What are you trying to avoid? It appears most of the ranges in the URL you linked are government ranges.

[reedjones]

Yeah that's the point. It says in readme that masscan can scan the whole internet but that you shouldn't. Trying to void getting on some blacklist for scanning some military network or something ;)

[reedjones]

Note- In the nmap documentation it says that they do this (filter out 'bad' ranges) when the iR (random hosts) flag is set. maybe something to look into

[yfdyh000]

Note- In the nmap documentation it says that they do this (filter out 'bad' ranges) when the iR (random hosts) flag is set. maybe something to look into

See the https://nmap.org/book/host-discovery-specify-targets.html.

Nmap automatically skips certain undesirable IPs,[​]() such as those in private, multicast, or unallocated address ranges.

That's it.

[dingusgh]

what IPs does nmap skip? https://github.com/nmap/nmap/blob/master/libnetutil/netutil.cc#L427:L485

0.0.0.0/8 is IANA Reserved 127.0.0.0/8 Loopback 10.0.0.0/8 is reserved for private nets by RFC1918 169.254.0.0/16 is reserved for DHCP clients seeking addresses RFC3927 172.16.0.0/12 is reserved for private nets by RFC1918 192.0.2.0/24 is reserved for documentation and examples RFC5737 192.168.0.0/16 is reserved for private nets by RFC1918 192.88.99.0/24 is used as 6to4 Relay anycast prefix by RFC3068 198.18.0.0/15 is used for benchmark tests by RFC2544 198.51.100.0/24 is reserved for documentation RFC5737 203.0.113.0/24 is reserved for documentation RFC5737 224.0.0.0/4 is all multicast stuff 240.0.0.0/4 is IANA reserved

notably missing is 100.64.0.0/10 reserved for shared address space RFC6598 maybe I should submit a PR right ;)

see also https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

[sickcodes]

ARIN Reserved IPv4 Address CIDR Blocks: https://gist.github.com/sickcodes/5e72643852e301aac84cf34a0348ef09

0.0.0.0/8
0.0.0.0/32
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.0.0/29
192.0.0.8/32
192.0.0.9/32
192.0.0.10/32
192.0.0.170/32
192.0.0.171/32
192.0.2.0/24
192.31.196.0/24
192.52.193.0/24
192.88.99.0/24
192.168.0.0/16
192.175.48.0/24
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
240.0.0.0/4
255.255.255.255/32

tee -a myscan.conf <<EOF
excludefile = exclude.txt
EOF

masscan ... -c myscan.conf

[flotwig]

There's a suggested exclude.conf in the repo itself: https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf