Masscan

M
Written By Threat NG Staff

Masscan is a free and open-source network scanner created by Robert David Graham. Its primary purpose is to scan the Internet quickly and efficiently. Think of it as a speedy way to find out which devices on a network have specific ports open (like those used for web servers, email, or file sharing).

Here's a straightforward analogy: Imagine you have a large apartment building and want to discover which apartments have open front doors. Masscan is like someone who can quickly run through the building, checking each door and making a list of the open ones.

Key features of Masscan:

  • Speed: It's designed for speed and can scan the entire Internet in minutes.  

  • Asynchronous Transmissions: It sends out many scan requests without waiting for a response to each one, making it much faster than traditional scanners.  

  • Large-scale scanning: It can handle vast numbers of targets, making it suitable for scanning the entire Internet or large corporate networks.  

  • Flexibility: You can configure it to scan specific ports, IP address ranges, or the entire Internet.  

  • Command-line interface: It's used via the command line, similar to the popular Nmap scanner.  

Why is Masscan used?

  • Security auditing: To find vulnerable systems with open ports that attackers could exploit.

  • Network reconnaissance: To map out devices and services on a network.

  • Research: To study the distribution of devices and services across the Internet.

Important Note:

While Masscan is a powerful tool, it is crucial to use it responsibly and ethically. Always obtain proper authorization before scanning any network. Unauthorized scanning can be illegal and have serious consequences.

ThreatNG and Masscan form a powerful combination for security professionals seeking to enhance their external attack surface management. Here's how ThreatNG complements Masscan and significantly expands its effectiveness:

1. Contextualizing Masscan Results:

  • Masscan excels at rapidly identifying open ports and services across numerous IP addresses. However, Masscan's output is primarily a raw list that lacks in-depth context.

  • ThreatNG elevates Masscan's findings by enriching them with data from its extensive intelligence modules. For example:

    • Identifying the software, versions, and underlying technologies running on discovered ports: ThreatNG's "Technology Stack" identification provides this crucial context, enabling security teams to prioritize vulnerabilities based on their severity and exploitability.

    • Linking open ports to associated domains and subdomains: ThreatNG's "Domain Intelligence" module provides this connection, giving a clearer understanding of the systems and applications at risk.

    • Correlating Masscan findings with "Dark Web Presence" data: ThreatNG can reveal if discovered services or related data have been compromised or are being discussed in malicious communities, adding a critical threat intelligence layer.

2. Expanding the Scope of Investigations:

  • Masscan focuses primarily on network scanning, providing a low-level view of network services.

  • ThreatNG significantly broadens the scope of investigations by incorporating a wide array of investigation modules:

    • "Domain Intelligence": Uncovers valuable information about the target's domain names, "DNS Intelligence (Domain Record Analysis (IP Identification, Vendors and Technology Identification), Domain Name Permutations (Taken and Available), and Web3 Domains (Taken and Available)," "Email Intelligence (Security Presence (DMARC, SPF, and DKIM records) Format Predictions, and Harvested Emails)," and "WHOIS Intelligence (WHOIS Analysis and Other Domains Owned)". This provides a deeper understanding of the target's online presence beyond Masscan's network-centric view.

    • "Social Media": Identifies potential security risks or brand reputation issues arising from the organization's "Posts from the organization under investigation, breaking out the content copy, hashtags, links, and tags".

    • "Sensitive Code Exposure": This feature detects exposed "Access Credentials (API Keys: Stripe API key, Google OAuth Key… Access Tokens: Facebook access token; Generic Credentials: Username and password in URI…)," "Security Credentials (Cryptographic Keys…)," and other sensitive information in public code repositories, uncovering vulnerabilities that Masscan might miss.

    • "Cloud and SaaS Exposure": Discovers the organization's "Sanctioned Cloud Services, Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets of AWS, Microsoft Azure, and Google Cloud Platform" and SaaS applications, assessing their security posture and identifying potential misconfigurations.

    • "Mobile Application Discovery": Discovers mobile apps related to the organization and the presence of "Access Credentials (Amazon AWS Access Key ID, APIs, Artifactory API Token…), Security Credentials (PGP private key block, RSA Private Key…), and Platform Specific Identifiers (Admin Directories, Amazon AWS S3 Bucket…)" within them.

3. Prioritizing and Managing Vulnerabilities:

  • Masscan delivers a raw output of open ports and services, requiring manual analysis to determine which findings pose the most significant risk.

  • ThreatNG streamlines this process by prioritizing findings based on their calculated risk level and potential impact:

    • Risk Scoring: ThreatNG assesses "Web Application Hijack Susceptibility," "Subdomain Takeover Susceptibility," "BEC & Phishing Susceptibility," "Brand Damage Susceptibility," "Data Leak Susceptibility," "Cyber Risk Exposure," "ESG Exposure," "Supply Chain & Third Party Exposure," and "Breach & Ransomware Susceptibility". This provides a much more granular and actionable risk assessment than Masscan alone.

    • Reporting: Generates comprehensive reports, including "Executive, Technical, Prioritized, Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings," summarizing findings, highlighting critical vulnerabilities, and providing clear recommendations for remediation.

    • Collaboration Tools: Facilitates efficient collaboration among security teams, IT staff, and management through "Role-based access controls" and "Dynamically generated Correlation Evidence Questionnaires," streamlining remediation workflows.

Example Scenario:

Masscan discovers an open port 22 (SSH) on a server. ThreatNG can then:

  • Use "Domain Intelligence" to identify the server's owner, purpose, associated domain names, and related infrastructure.

  • Check its intelligence repositories for known vulnerabilities affecting the identified SSH version and related software (from "Technology Stack").

  • Search the "Dark Web Presence" data for any mentions of the server or its IP address in connection with malicious activities.

  • Analyze "Social Media" for discussions or complaints about the server's security or potential exploits.

  • Use Risk Scoring (within "Cyber Risk Exposure") to evaluate the risk posed by the open SSH port, considering factors like known vulnerabilities, data sensitivity, and potential impact.

  • Generate a prioritized report with clear recommendations for remediation.

By effectively combining Masscan's speed with ThreatNG's comprehensive analysis and risk management capabilities, security professionals gain a holistic and actionable view of their attack surface, enabling them to address potential threats with greater efficiency and effectiveness proactively.

Threat NG Staff
Previous

Mass Assignment (API)
Next

Material Cybersecurity Incidents (SEC 8-K)