Masscan — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

The fastest internet-scale port scanner — capable of 10 million packets per second from a single host.

Use case: ReconnaissanceDifficulty: IntermediateHomepage: https://github.com/robertdavidgraham/masscan

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install masscan

Source build

git clone https://github.com/robertdavidgraham/masscan && cd masscan && make -j$(nproc)

Docker

docker run --rm -it ilyaglow/masscan -p80,443 0.0.0.0/0 --rate=10000

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Scan /16 for HTTP/HTTPS at 10k pps

sudo masscan 10.0.0.0/16 -p80,443 --rate 10000

Top web ports + JSON output

sudo masscan -p80,443,8080,8443,8000,8888 --rate 5000 -oJ scan.json 10.0.0.0/8

Banner grab (slower but useful)

sudo masscan --banners -p80,443 --rate 1000 10.0.0.0/16

List output for piping into nmap

sudo masscan -p- --rate 10000 -oL hits.txt target.com

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Rate is the only knob that matters: start at --rate 1000 on residential ISP, 10000 on cloud VPS, 100000+ on dedicated 1Gbps.
  • --randomize-hosts distributes packets across the address space instead of hammering one /24 — survives stateful firewalls better.
  • PF_RING or DPDK driver gets you to multi-million pps on bare metal — overkill for most engagements.
  • Output JSON (-oJ) and pipe directly into jq + httpx for live-host enrichment.
  • Run on a separate IP from your other tooling — Masscan rates trigger ISP rate-limits and Cloudflare ban-lists in minutes.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Masscan does NOT do version detection or scripts. Pair with Nmap -sV on the hits.
  • False positives on stateful NATs — high-rate SYN scans can confuse middleboxes. Cross-check with TCP handshake completion.
  • Default config tries to scan 0.0.0.0/0 minus excluded ranges. ALWAYS set explicit targets to avoid scanning random infrastructure.
  • On AWS / GCP, outbound rate limits from cloud VMs throttle Masscan well below stated capability.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Zmap — research-grade single-protocol scanner (Internet-wide studies).
  • Naabu — slower but cleaner output for chaining.
  • Unicornscan — older but supports stateful options.

India context and engagement notes

Use Masscan for the discovery phase only. CERT-In incident response on rate-limit complaints is a real risk if you misconfigure ranges. Keep --excludefile populated with critical infra (DNS roots, government CIDRs).


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants