CyberCheatsheets

Masscan Cheat Sheet

High-speed Internet-scale port scanner for rapid discovery before deeper nmap enumeration.

Scanning & Enumerationfast-scannetworkport-scanUpdated 2026-06-02

Overview

Masscan sends SYN packets at very high rates to find open ports across large IP ranges. Use it for wide discovery, then follow up with Nmap for service detection and scripting—not as a replacement for full enumeration.

Authorized testing only. High packet rates can impact networks and violate provider AUPs. Scope targets and throttle rates per rules of engagement.

Install

sudo apt install -y masscan

or

git clone https://github.com/robertdavidgraham/masscan && cd masscan && make && sudo make install
masscan --version

Essential commands

Top 1000 ports on a /24

sudo masscan 10.10.10.0/24 -p1-65535 --rate 1000 -oL masscan.txt

Specific ports

sudo masscan 10.10.10.0/24 -p80,443,445,3389 --rate 5000 -oJ masscan.json

Single host

sudo masscan 10.10.10.5 -p0-65535 --rate 10000

Common workflows

Discover open ports, then nmap —

sudo masscan 10.10.10.0/24 -p1-65535 --rate 5000 -oL scan.lst
ports=$(grep open scan.lst | awk '{print $4}' | cut -d/ -f1 | sort -u | tr '\n' ',' | sed 's/,$//')
nmap -sC -sV -p "$ports" -iL live_hosts.txt -oA nmap_followup

Banner grab (limited protocols) —

sudo masscan 10.10.10.5 -p80,443 --banners -oL banners.lst

Exclude ranges / shard scan —

sudo masscan 10.0.0.0/8 --exclude 10.0.0.0/24 -p443 --rate 10000
sudo masscan 0.0.0.0/0 -p80 --shard 1/4 --rate 100000

Flags reference

-p

Ports (-p0-65535, ranges, lists)

--rate

Packets per second (e.g. 1000, 0.1 for slow)

-oL

List output (easy to parse)

-oJ

JSON output

-oX

XML output

--banners

Grab banners (HTTP, SSL, etc.)

--exclude

Exclude CIDR or IP

--shard

Split work across instances (1/4)

-iL

Input file of ranges

--router-mac

Gateway MAC (required on some LAN setups)

-e

Network interface

Tips

  • Requires raw sockets (sudo); on Linux, consider ulimit and txqueuelen tuning for very high rates.
  • Masscan does not do service version detection—always chain with Nmap.
  • Start with lower --rate on fragile or monitored networks.
  • Output lines look like open tcp 443 10.10.10.5 in -oL format.

References

Related cheat sheets