Episode: 2204 Title: HPR2204: MASSCAN Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2204/hpr2204.mp3 Transcribed: 2025-10-18 15:42:59 --- This is HPR episode 2204 entitled Macon. It is hosted by Opera Zero R and is about 8 minutes long and can remain a explicit flag. The summary is Macon for the 10.0 SoM.E. This episode of HPR is brought to you by Ananasthost.com. Get 15% discount on all shared hosting with the offer code HPR15. That's HPR15. Better web hosting that's honest and fair at Ananasthost.com. Alright, so I wanted to do another quick of a web episode. This one is going to be my experiences with vulnerability scanner and how I'm using Mascant to speed up that vulnerability scanner. I'm not going to name the name of the commercial product. I think it's what I'm using for work. The problem is that the novitant has has assessed technically this product so in a way we're using it so I'm not blaming the vendor so that's why I'm not calling them out. They may find a way to help us make this work. So let me first find out what we were taking a while to do scans sometimes to do a discovery scan. It was taking us a week, eight days or something of after hour scans and I started noticing once that was done then we would do a vulnerability scan. So essentially what we were doing was two scans and that was starting to not make any sense. So I started looking more into the product now it works, it uses NMAP to do a discovery and there's some throttling and all that stuff that you can set up on the front end. But it was still taking a very long time to scan the entire scan internally. We want to work where we're locating and putting the things and load balancing and all that stuff. What I was trying to do was improve that discovery phase and make it faster. So what I'll do is kind of go over how I approached my scan. It's basically essentially just faster than NMAP. You can read about how it works but essentially it's faster and it's almost a DDoS tool when it comes down to it. Let's see if I can find my issue. Yeah so I had an issue first around starting. So within mass scan you can do a command called starting and split it up. So if you have essentially we have dying scanners we can split that up in between all nine scanners. So you can say shard one of nine, two of nine, three of nine, four of nine. And in theory it's both so it's to just chop the chop up. But I started seeing duplicates inside of multiple different scanners from different scanners. So what I really ended up doing was splitting it myself. So if you do the dash S and then capital L with mass scan and then do your range and you can output that to a file and then you can use the split command to split it into what I have here is roughly a million lines each or roughly two million lines each for like nine eight scanners or nine scanners. So with that said I had nine split up ten dot ranges, random also shuffled them. So that way we were running scans across the same network from nine scanners at once. Essentially what I was able to do was get the six day or eight day scan discovery scans down to almost more or less the same exact port checks and ping ICMP checks it has. I got those down to an hour or a little less than an hour. So what took in map and a couple of scanners a week I got nine systems which weren't even scanners, some of them were engine consoles and all that stuff. I just took the nine commercial boxes and had them all doing the discovery work because it's not a big, it's not a CPU really intensive thing unless you're doing crazy speeds. So I had kind of the top ports which you can get out of in map if you're on the top ports and in map it'll dump out the top ports that it uses in the XML file. You can just drag and drop those straight into my skin. So I've got to like the top whatever, that looks like 20, 40, 20 maybe 20 ports and then the rate I have is 14, 114 or whatever reason was kind of the same, around the same speed that the current scanners are using. I did dash dash open which only shows open, I did exclude file and we have a black list of ranges within our corporation that we don't want to scan. And then I'd say dash dash ping which ping, I see them ping the range and the port number is zero and the XML dump and then you're my destination and dash little O big X and the XML file. From what I can see tell, there's only XML output which is essentially crapable output, it's not complicated XML. As far as I can tell, unless you get into better grab it, you know what I want to understand it's kind of limited. So anyways, the idea there is now I'm feeding that into the API and I'm eventually going to break it up until like 10,000 chunks or something like that. So we're not scanning hundreds of thousands of systems at a time and then if it works, we'll essentially get there. So with that said, some other things I came across obviously are in load balancers or misconfigured firewalls or when you're traversing different networks, sometimes everything will be open, open, open, open, open. I'm going to add notes for that section to help you essentially do some math on the subnets that come out of the scans and say, okay, 10.8 has every single port open on 15 through 47. So you know to do a deeper dive into those ranges or work with a networking team to figure out who are those packets or being not Deans filtered right through synth scans. So it's kind of that that'll kind of help you out. They were originally doing full-bowl connect scans to help get around some of that and that's why I was taking so long to do the scans because they were doing full-bowl connect scans and I think I haven't done any testing but I think even then that might have post-emissions. So the idea is there that you can't just aim a scanner at your network and go, you need to do intelligent fingerprinting and understand where the load balancers are or what ports you need to allow or disallow maybe printers need to the exclude because random pizzas to paper start printing out, you want to find those weird spots in the network and make sure you have visibility, there's little to no expectation of just dropping a scanner in and doing a discovery scan and then even at that, you need to understand the network and make sure that you're where you're supposed to be and you can get what you're supposed to get. And that's a hard part of it. Other than that, I feel like you can use SSH keys to do batch programming on all nine systems. So once write little bash scripts, I might make some of that available for you guys as far as showing the results or running a bunch of commands on the same system, on a bunch of systems. I think that pretty much is where I'm at now, eventually we're going to try and treat tweak the commercial scanners to be at that fast or faster. But I doubt they're going to get as fast as a mask in. Anyways, if you want to contribute, feel free to grab your phone and court something and you can even send it over and I'll do a noise reduction on it. You've been listening to Hacker Public Radio at Hacker Public Radio dot org. We are a community podcast network that releases shows every weekday, Monday through Friday. Today's show, like all our shows, was contributed by an HBR listener like yourself. If you ever thought of recording a podcast, then click on our contribute link to find out how easy it really is. Hacker Public Radio was founded by the Digital Dove Pound and the Infonomicon Computer Club and is part of the binary revolution at binrev.com. If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself, unless otherwise stated, today's show is released on the creative comments, attribution, share a light, 3.0 license.