IP信息收集工具.zip

[](https://travis-ci.org/robertdavidgraham/masscan.svg) # MASSCAN: Mass IP port scanner This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine. It's input/output is similar to `nmap`, the most famous port scanner. When in doubt, try one of those features. Internally, it uses asynchronous tranmissions, similar to port scanners like `scanrand`, `unicornscan`, and `ZMap`. It's more flexible, allowing arbitrary port and address ranges. NOTE: masscan uses a its own **custom TCP/IP stack**. Anything other than simple port scans may cause conflict with the local TCP/IP stack. This means you need to either the `--src-ip` option to run from a different IP address, or use `--src-port` to configure which source ports masscan uses, then also configure the internal firewall (like `pf` or `iptables`) to firewall those ports from the rest of the operating system. This tool is free, but consider contributing money to its developement: Bitcoin wallet address: 1MASSCANaHUiyTtR3bJ2sLGuMw5kDBaj4T # Building On Debian/Ubuntu, it goes something like this: $ sudo apt-get install git gcc make libpcap-dev $ git clone https://github.com/robertdavidgraham/masscan $ cd masscan $ make This puts the program in the `masscan/bin` subdirectory. You'll have to manually copy it to something like `/usr/local/bin` if you want to install it elsewhere on the system. The source consists of a lot of small files, so building goes a lot faster by using the multi-threaded build: $ make -j While Linux is the primary target platform, the code runs well on many other systems. Here's some additional build info: * Windows w/ Visual Studio: use the VS10 project * Windows w/ MingGW: just type `make` * Windows w/ cygwin: won't work * Mac OS X /w XCode: use the XCode4 project * Mac OS X /w cmdline: just type `make` * FreeBSD: type `gmake` * other: try just compiling all the files together ## PF_RING To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as ["PF_RING ZC" from ntop](http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/). Masscan doesn't need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components: * `libpfring.so` (installed in /usr/lib/libpfring.so) * `pf_ring.ko` (their kernel driver) * `ixgbe.ko` (their version of the Intel 10-gbps Ethernet driver) You don't need to build their version of `libpcap.so`. When Masscan detects that an adapter is named something like `zc:enp1s0` instead of something like `enp1s0`, it'll automatically switch to PF_RING ZC mode. ## Regression testing The project contains a built-in self-test: $ make regress bin/masscan --regress selftest: success! This tests a lot of tricky bits of the code. You should do this after building. ## Performance testing To test performance, run something like the following: $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --router-mac 66-55-44-33-22-11 The bogus `--router-mac` keeps packets on the local network segments so that they won't go out to the Internet. You can also test in "offline" mode, which is how fast the program runs without the transmit overhead: $ bin/masscan 0.0.0.0/4 -p80 --rate 100000000 --offline This second benchmark shows roughly how fast the program would run if it were using PF_RING, which has near zero overhead. # Usage Usage is similar to `nmap`. To scan a network segment for some ports: # masscan -p80,8000-8100 10.0.0.0/8 This will: * scan the 10.x.x.x subnet, all 16 million addresses * scans port 80 and the range 8000 to 8100, or 102 addresses total * print output to `<stdout>` that can be redirected to a file To see the complete list of options, use the `--echo` feature. This dumps the current configuration and exits. This output can be used as input back into the program: # masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf # masscan -c xxx.conf --rate 1000 ## Banner checking Masscan can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple "banner" information. The problem with this is that masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner. The easiest way to prevent this is to assign masscan a separate IP address. This would look like the following: # masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200 The address you choose has to be on the local subnet and not otherwise be used by another system. In some cases, such as WiFi, this isn't possible. In those cases, you can firewall the port that masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan still sees it since it bypasses the local stack. For Linux, this would look like: # iptables -A INPUT -p tcp --dport 61000 -j DROP # masscan 10.0.0.0/8 -p80 --banners --source-port 61000 You probably want to pick ports that don't conflict with ports Linux might otherwise choose for source-ports. You can see the range Linux uses, and reconfigure that range, by looking in the file: /proc/sys/net/ipv4/ip_local_port_range On the latest version of Kali Linux (2018-August), that range is 32768 to 60999, so you should choose ports either below 32768 or 61000 and above. Setting an `iptables` rule only lasts until the next reboot. You need to lookup how to save the configuration depending upon your distro, such as using `iptables-save` and/or `iptables-persistant`. On Mac OS X and BSD, there are similar steps. To find out the ranges to avoid, use a command like the following: # sysctl net.inet.ip.portrange.first net.inet.ip.portrange.last On FreeBSD and older MacOS, use an `ipfw` command: # sudo ipfw add 1 deny tcp from any to any 40000 in # masscan 10.0.0.0/8 -p80 --banners --source-port 40000 On newer MacOS and OpenBSD, use the `pf` packet-filter utility. Edit the file `/etc/pf.conf` to add a line like the following: block in proto tcp from any to any port 40000 Then to enable the firewall, run the command: # pfctrl -E If the firewall is already running, then either reboot or reload the rules with the following command: # pfctl -f /etc/pf.conf Windows doesn't respond with RST packets, so neither of these techniques are necessary. However, masscan is still designed to work best using its own IP address, so you should run that way when possible, even when its not strictly necessary. The same thing is needed for other checks, such as the `--heartbleed` check, which is just a form of banner checking. ## How to scan the entire Internet While useful for smaller, internal networks, the program is really designed with the entire Internet in mind. It might look something like this: # masscan 0.0.0.0/0 -p0-65535 Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges. To blacklist or exclude ranges, you want to use the following syntax: # masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt This just prints the results to the command-line. You probably want them saved to a file instead. Therefore, you want something like: # masscan 0.0.0.0/0 -p0-65535 -oX scan.xml