hpr-knowledge-base/hpr_transcripts/hpr2204.txt

Episode: 2204
Title: HPR2204: MASSCAN
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2204/hpr2204.mp3
Transcribed: 2025-10-18 15:42:59

---

This is HPR episode 2204 entitled Macon.
It is hosted by Opera Zero R and is about 8 minutes long and can remain a explicit flag.
The summary is Macon for the 10.0 SoM.E.
This episode of HPR is brought to you by Ananasthost.com.
Get 15% discount on all shared hosting with the offer code HPR15.
That's HPR15.
Better web hosting that's honest and fair at Ananasthost.com.
Alright, so I wanted to do another quick of a web episode.
This one is going to be my experiences with vulnerability scanner and how I'm using
Mascant to speed up that vulnerability scanner.
I'm not going to name the name of the commercial product.
I think it's what I'm using for work.
The problem is that the novitant has has assessed technically this product so in a way
we're using it so I'm not blaming the vendor so that's why I'm not calling them out.
They may find a way to help us make this work.
So let me first find out what we were taking a while to do scans sometimes to do a discovery
scan.
It was taking us a week, eight days or something of after hour scans and I started noticing
once that was done then we would do a vulnerability scan.
So essentially what we were doing was two scans and that was starting to not make any
sense.
So I started looking more into the product now it works, it uses NMAP to do a discovery
and there's some throttling and all that stuff that you can set up on the front end.
But it was still taking a very long time to scan the entire scan internally.
We want to work where we're locating and putting the things and load balancing and all that
stuff.
What I was trying to do was improve that discovery phase and make it faster.
So what I'll do is kind of go over how I approached my scan.
It's basically essentially just faster than NMAP.
You can read about how it works but essentially it's faster and it's almost a DDoS tool when
it comes down to it.
Let's see if I can find my issue.
Yeah so I had an issue first around starting.
So within mass scan you can do a command called starting and split it up.
So if you have essentially we have dying scanners we can split that up in between all nine
scanners.
So you can say shard one of nine, two of nine, three of nine, four of nine.
And in theory it's both so it's to just chop the chop up.
But I started seeing duplicates inside of multiple different scanners from different scanners.
So what I really ended up doing was splitting it myself.
So if you do the dash S and then capital L with mass scan and then do your range and you
can output that to a file and then you can use the split command to split it into what
I have here is roughly a million lines each or roughly two million lines each for like
nine eight scanners or nine scanners.
So with that said I had nine split up ten dot ranges, random also shuffled them.
So that way we were running scans across the same network from nine scanners at once.
Essentially what I was able to do was get the six day or eight day scan discovery scans
down to almost more or less the same exact port checks and ping ICMP checks it has.
I got those down to an hour or a little less than an hour.
So what took in map and a couple of scanners a week I got nine systems which weren't even
scanners, some of them were engine consoles and all that stuff.
I just took the nine commercial boxes and had them all doing the discovery work because
it's not a big, it's not a CPU really intensive thing unless you're doing crazy speeds.
So I had kind of the top ports which you can get out of in map if you're on the top ports
and in map it'll dump out the top ports that it uses in the XML file.
You can just drag and drop those straight into my skin.
So I've got to like the top whatever, that looks like 20, 40, 20 maybe 20 ports and then
the rate I have is 14, 114 or whatever reason was kind of the same, around the same speed
that the current scanners are using.
I did dash dash open which only shows open, I did exclude file and we have a black list
of ranges within our corporation that we don't want to scan.
And then I'd say dash dash ping which ping, I see them ping the range and the port number
is zero and the XML dump and then you're my destination and dash little O big X and the
XML file.
From what I can see tell, there's only XML output which is essentially crapable output,
it's not complicated XML.
As far as I can tell, unless you get into better grab it, you know what I want to understand
it's kind of limited.
So anyways, the idea there is now I'm feeding that into the API and I'm eventually going
to break it up until like 10,000 chunks or something like that.
So we're not scanning hundreds of thousands of systems at a time and then if it works,
we'll essentially get there.
So with that said, some other things I came across obviously are in load balancers or
misconfigured firewalls or when you're traversing different networks, sometimes everything
will be open, open, open, open, open.
I'm going to add notes for that section to help you essentially do some math on the
subnets that come out of the scans and say, okay, 10.8 has every single port open on 15
through 47.
So you know to do a deeper dive into those ranges or work with a networking team to figure
out who are those packets or being not Deans filtered right through synth scans.
So it's kind of that that'll kind of help you out.
They were originally doing full-bowl connect scans to help get around some of that and that's
why I was taking so long to do the scans because they were doing full-bowl connect scans and
I think I haven't done any testing but I think even then that might have post-emissions.
So the idea is there that you can't just aim a scanner at your network and go, you need
to do intelligent fingerprinting and understand where the load balancers are or what
ports you need to allow or disallow maybe printers need to the exclude because random
pizzas to paper start printing out, you want to find those weird spots in the network
and make sure you have visibility, there's little to no expectation of just dropping
a scanner in and doing a discovery scan and then even at that, you need to understand
the network and make sure that you're where you're supposed to be and you can get what
you're supposed to get.
And that's a hard part of it.
Other than that, I feel like you can use SSH keys to do batch programming on all nine
systems.
So once write little bash scripts, I might make some of that available for you guys as far
as showing the results or running a bunch of commands on the same system, on a bunch
of systems.
I think that pretty much is where I'm at now, eventually we're going to try and treat
tweak the commercial scanners to be at that fast or faster.
But I doubt they're going to get as fast as a mask in.
Anyways, if you want to contribute, feel free to grab your phone and court something and
you can even send it over and I'll do a noise reduction on it.
You've been listening to Hacker Public Radio at Hacker Public Radio dot org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contribute link to find
out how easy it really is.
Hacker Public Radio was founded by the Digital Dove Pound and the Infonomicon Computer Club
and is part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on
the website or record a follow-up episode yourself, unless otherwise stated, today's show is
released on the creative comments, attribution, share a light, 3.0 license.