[SANS ISC] Quick and dirty Python: masscan, (Tue, May 4th)

Those who know me are aware that I am a recovering shell programmer.  I have 35+ years of various shell scripts involving complicated code pipelines with grep, cut, sort, uniq, awk, input files, output files, redirects, pipes etc…cobbled together to get jobs done. None of it is elegant and little of it could be called pretty. The last couple of years I have been trying to ramp up on Python and am increasingly finding that these complicated shell code scripts can be elegantly implemented in Python. The resulting code is way easier to read and way more supportable.

A simple example of this is the various scripts I have around as simple port scanners used to scan large swaths of IP address ranges for vulnerabilities. Since nmap is too slow for large numbers of IPs, my tool of choice for initial scanning of swaths of IPs and ports is the very speedy masscan.  masscan will find the open ports and then typically I will write the results to a file, manipulate the masscan output file to create an input file that nmap will read and then launch nmap to do the detailed scanning on the smaller set of IPs sending that output to even more files which then need to be manipulated and analyzed to extract the information I need.

Just recently I discovered there is a Python module for both masscan and nmap.   So far I have only spent time on the masscan module.  

Suppose you needed a script which will find all the web servers (port 80, 443)  in an address range.  It took me about 5 minutes to code up scan_web.py.

import sys,getopt,argparse
import masscan
import pprint

def main():
# read in the IP parameter
parser = argparse.ArgumentParser()
parser.add_argument(‘IP’, help=”IP address or range”)

#scan address(es) using Masscan
mas = masscan.PortScanner()
mas.scan(ip, ports=’80,443′)
print(“Error:”, sys.exc_info()[0])

# output result

if __name__ == “__main__”:

The script takes IP address(es) as an input and then scans those IPs using masscan to check if port 80 or 443 are open.

Running the script results in:

# ./scan_web.py,
[2021-05-04 20:05:28,652] [DEBUG] [masscan.py 10 line] Scan parameters: “masscan -oX –, -p 80,443”
{‘masscan’: {‘command_line’: ‘masscan -oX –, -p 80,443’,
‘scanstats’: {‘downhosts’: ‘0’,
‘elapsed’: ’12’,
‘timestr’: ‘2021-05-04 20:05:41’,
‘totalhosts’: ‘4’,
‘uphosts’: ‘4’}},
‘scan’: {‘’: {‘tcp’: {80: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’53’,
‘services’: [],
‘state’: ‘open’},
443: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’53’,
‘services’: [],
‘state’: ‘open’}}},
‘’: {‘tcp’: {80: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’61’,
‘services’: [],
‘state’: ‘open’},
443: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’61’,
‘services’: [],
‘state’: ‘open’}}}}}

The result is a Python dictionary that can be easily be parsed and fed into python-nmap (an exercise for another day).


Caveat1: Never scan an IP range you don’t have permission to scan.  While port scanning is not illegal in most jurisdictions it is questionable ethically to scan things you don’t own or have permission to scan.

Caveat2: I am not a professional Python programmer.  My scripting gets the job done that I need it to do.  I know there are many smart people out there who can write way better code than I can. 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[HackerNews] Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform

All posts, HackerNews

An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process. In light of the growing number of cyber incidents that target the software supply chain, there is […]

Read More

[ThreatPost] Beyond MFA: Rethinking the Authentication Key

All posts, ThreatPost

Tony Lauro, director of security technology and strategy at Akamai, discusses hardware security dongles and using phones to act as surrogates for them. Source: Read More (Threatpost)

Read More

[BleepingComputer] Microsoft releases emergency OOB update for PrintNightmare zero-day

Microsoft has released emergency out-of-band security updates to address the actively exploited PrintNightmware zero-day vulnerability in the Windows Print Spooler service and impacting all supported Windows versions. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.