[SANS ISC] Quick and dirty Python: masscan, (Tue, May 4th)

Those who know me are aware that I am a recovering shell programmer.  I have 35+ years of various shell scripts involving complicated code pipelines with grep, cut, sort, uniq, awk, input files, output files, redirects, pipes etc…cobbled together to get jobs done. None of it is elegant and little of it could be called pretty. The last couple of years I have been trying to ramp up on Python and am increasingly finding that these complicated shell code scripts can be elegantly implemented in Python. The resulting code is way easier to read and way more supportable.

A simple example of this is the various scripts I have around as simple port scanners used to scan large swaths of IP address ranges for vulnerabilities. Since nmap is too slow for large numbers of IPs, my tool of choice for initial scanning of swaths of IPs and ports is the very speedy masscan.  masscan will find the open ports and then typically I will write the results to a file, manipulate the masscan output file to create an input file that nmap will read and then launch nmap to do the detailed scanning on the smaller set of IPs sending that output to even more files which then need to be manipulated and analyzed to extract the information I need.

Just recently I discovered there is a Python module for both masscan and nmap.   So far I have only spent time on the masscan module.  

Suppose you needed a script which will find all the web servers (port 80, 443)  in an address range.  It took me about 5 minutes to code up scan_web.py.

import sys,getopt,argparse
import masscan
import pprint

def main():
# read in the IP parameter
parser = argparse.ArgumentParser()
parser.add_argument(‘IP’, help=”IP address or range”)

#scan address(es) using Masscan
mas = masscan.PortScanner()
mas.scan(ip, ports=’80,443′)
print(“Error:”, sys.exc_info()[0])

# output result

if __name__ == “__main__”:

The script takes IP address(es) as an input and then scans those IPs using masscan to check if port 80 or 443 are open.

Running the script results in:

# ./scan_web.py,
[2021-05-04 20:05:28,652] [DEBUG] [masscan.py 10 line] Scan parameters: “masscan -oX –, -p 80,443”
{‘masscan’: {‘command_line’: ‘masscan -oX –, -p 80,443’,
‘scanstats’: {‘downhosts’: ‘0’,
‘elapsed’: ’12’,
‘timestr’: ‘2021-05-04 20:05:41’,
‘totalhosts’: ‘4’,
‘uphosts’: ‘4’}},
‘scan’: {‘’: {‘tcp’: {80: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’53’,
‘services’: [],
‘state’: ‘open’},
443: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’53’,
‘services’: [],
‘state’: ‘open’}}},
‘’: {‘tcp’: {80: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’61’,
‘services’: [],
‘state’: ‘open’},
443: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’61’,
‘services’: [],
‘state’: ‘open’}}}}}

The result is a Python dictionary that can be easily be parsed and fed into python-nmap (an exercise for another day).


Caveat1: Never scan an IP range you don’t have permission to scan.  While port scanning is not illegal in most jurisdictions it is questionable ethically to scan things you don’t own or have permission to scan.

Caveat2: I am not a professional Python programmer.  My scripting gets the job done that I need it to do.  I know there are many smart people out there who can write way better code than I can. 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[HackerNews] CISO Challenge: Check Your Cybersecurity Skills On This New Competition Site

All posts

InfoSec leaders tend to be a specific type. Their jobs require them to think of possible threats, take actions that may not pay immediate results, plan for unknown security risks, and react quickly when emergencies arise, often before the morning’s first coffee. The high-stakes position also means that CISOs need to keep their knowledge and […]

Read More

[ThreatPost] Western Digital Users Face Another RCE

All posts, ThreatPost

Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices. Source: Read More (Threatpost)

Read More

[SecurityWeek] Cisco Patches High Severity Vulnerabilities in BPA, WSA

All posts, Security Week

Cisco this week released patches for high severity vulnerabilities in Business Process Automation (BPA) and Web Security Appliance (WSA) that expose users to privilege escalation attacks. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.