The fastest internet-scale port scanner — capable of 10 million packets per second from a single host.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (apt)
sudo apt install masscan
Source build
git clone https://github.com/robertdavidgraham/masscan && cd masscan && make -j$(nproc)
Docker
docker run --rm -it ilyaglow/masscan -p80,443 0.0.0.0/0 --rate=10000
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Scan /16 for HTTP/HTTPS at 10k pps
sudo masscan 10.0.0.0/16 -p80,443 --rate 10000
Top web ports + JSON output
sudo masscan -p80,443,8080,8443,8000,8888 --rate 5000 -oJ scan.json 10.0.0.0/8
Banner grab (slower but useful)
sudo masscan --banners -p80,443 --rate 1000 10.0.0.0/16
List output for piping into nmap
sudo masscan -p- --rate 10000 -oL hits.txt target.com
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Rate is the only knob that matters: start at
--rate 1000on residential ISP,10000on cloud VPS,100000+on dedicated 1Gbps. --randomize-hostsdistributes packets across the address space instead of hammering one /24 — survives stateful firewalls better.- PF_RING or DPDK driver gets you to multi-million pps on bare metal — overkill for most engagements.
- Output JSON (
-oJ) and pipe directly intojq+httpxfor live-host enrichment. - Run on a separate IP from your other tooling — Masscan rates trigger ISP rate-limits and Cloudflare ban-lists in minutes.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Masscan does NOT do version detection or scripts. Pair with Nmap
-sVon the hits. - False positives on stateful NATs — high-rate SYN scans can confuse middleboxes. Cross-check with TCP handshake completion.
- Default config tries to scan 0.0.0.0/0 minus excluded ranges. ALWAYS set explicit targets to avoid scanning random infrastructure.
- On AWS / GCP, outbound rate limits from cloud VMs throttle Masscan well below stated capability.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Zmap — research-grade single-protocol scanner (Internet-wide studies).
- Naabu — slower but cleaner output for chaining.
- Unicornscan — older but supports stateful options.
India context and engagement notes
Use Masscan for the discovery phase only. CERT-In incident response on rate-limit complaints is a real risk if you misconfigure ranges. Keep --excludefile populated with critical infra (DNS roots, government CIDRs).
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.