If all you need is the first packet (like trying to find the origin server of a website behind Cloudflare), then you can do it in a fraction of the time on a single machine.
https://github.com/robertdavidgraham/masscan
(Good defcon talk on masscan, but I cbf to google it)
I do pretty much that for work every day and you are really overestimating. masscan takes around 30 mins-1 hour.
Since its just a SYN scan, each frame is 64 bytes, and for scanning 5 million servers traffic is around 300 MB.
ISP's tend to notice that because high number of small frames tend to create more stress for infrastructure than small amount of higher size frames
Hahaha wow. Yeah I see why they got mad. I'd be super untrusting of my ISP if they were portscanning my SSH servers.
Yeah it's pretty damn fast. It doesn't use the kernel TCP/IP, so it doesn't make a full connection, and it doesn't block. Whereas another scanner might make a syscall to connect to $IP:$PORT, send a SYN, wait for SYN/ACK, then send ACK and complete the connection, zmap will send $IP SYN, continue and send $IP2 SYN, and so on, very very fast. Whenever it gets a SYN/ACK back it logs that IP and doesn't complete the connection. So, pretty much the minimal scan possible.
I've heard of masscan too but I haven't looked into it too much. zmap is great though regardless.
Depending on your server connection, hardware and OS, you can scan the whole IPv4 address space on a single port in a time span of 6 minutes in the best case and 3–4 hours in the worst case.
You can find it here. It's a really fast tool with custom network stack implementation that can scan the whole internet in minutes. Can also DoS your LAN very easily :)
It’s actually more wild than that, most sites like shodan and other similar ones have started using tooling like mass scan:
> This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.
If you need to scan a lot of ip addresses and ports then check out masscan. Otherwise no. nmap (ZenMap is actually just a GUI for nmap) is the best there is for this kind of thing. Anything you buy that is supposedly better than nmap is probably still using nmap or massscan under the hood.
Nmap doesn't have a '--rate' option so it can't be it.
It looks like it's a windows build of masscan: https://github.com/robertdavidgraham/masscan/blob/master/README.md
It's basically a very fast asynchronous port scanner that is used to scan large parts of the internet in a short time. It's scanning the hosts in list.txt in the specified ports.
Wouldn't even take a day to be honest, except maybe to do a detailed scan of each port. People have made custom drivers^(see PF_RING section) for some cards that allow them to send metric fuckloads of SYN requests to ports and see what ones respond. Doing this over the entire IPv4 address space could take a few hours or less depending on your hardware and internet connection.
Another user here reverse proxying everything with nginx. The only exposed services without basic auth are my Owncloud, Subsonic, Piwik. They are served with SSL and I trust on the login page security :-P
For the rest, (WordPress sites) I protect /wp-admin and /wp-login.php with basic auth (besides WordPress own auth) and deny /xmlrpc.php WordPress is the things I worry the most.
I'm sure you have read it already, but configure nginx to only serve with a server name. Nobody should request your server with bare IP (mass scanners) and return 444 on location / under server name "_" will do.
Here below is an example of to what an internet facing server is exposed "in the wild"
5.28.163.84 - - [08/Oct/2016:20:19:56 +0200] "GET / HTTP/1.0" 444 0 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-"
213.136.80.43 - - [08/Oct/2016:23:53:35 +0200] "GET /script HTTP/1.1" 444 0 "-" "Python-urllib/2.7" "-"
114.44.56.130 - - [07/Oct/2016:20:36:23 +0200] "CONNECT vip163mx00.mxmail.netease.com:25 HTTP/1.0" 400 166 "-" "-" "-"
180.97.106.162 - - [06/Oct/2016:02:59:27 +0200] "\x04\x01\x00P\xB4\xA3qR\x00" 400 166 "-" "-" "-"
You will find yourself on the end of an uncomfortable phone call with your ISP if you try to zmap the internet. You run the very real risk of taking down one of their upstream routers from session exhaustion, but if you still want to go that route and you are ready to handle all of the abuse complaints you are going to get, MassScan can scan the entire internet in a few minutes.
Also, most of the data you are looking to gather already exists in Shodan
masscan is said, to be able to do 1.6 million packets per second. This is probably the fastest scanner out there. If you want to scan a single /64 with masscan, it'll take
bc -l 2^64/1600000/60/60/24/365 365589.01084692002029426686
365589 years with one packet (say ICMP echo request) per address.
So, while you can do it, maybe you should not. There are tricks to discover hosts on the LAN (like sending to all-hosts multicast address, NDP or DNS), but the naive approach will not work.
> GPO blocks ICMP response and there's a whole class A network at play
masscan, zmap.
And we stopped calling them "Class A" twenty-five years ago, which in tech terms, is the Late Pleistocene.
And fix your ICMP. I've long since lost any sense of humor about that. You need ICMPv6 for IPv6 to work, anyway.
Speaking of IPv6, if you can't masscan IPv6, you can use IPv6 discovery techniques on the first-hop by watching for broadcasts and multicasts. But just turn on ICMP Echo Reply, so you can ping ff02::1 ip6-allnodes
. I have embedded gear that doesn't respond to Echo Request either, because the people who made it have been picking up bad ideas from people who should know better.
Masscan does multithreaded scanning of the entire internet, and any range you specify, It's the project Viss is working on.
https://github.com/robertdavidgraham/masscan
also the defcon demo:
Check out masscan if you want to do the ping on the Internet yourself!
And the website should be up, try again maybe? Otherwise try http://www.shodanhq.com which is the old version of the website.
Is this like PF_RING?
I recall the masscan project that could scan the entire ipv4 address space in 6 minutes, by bypassing the kernel IP stack with PF_RING.
The following projects are designed to scan every single IPv4 address out there:
https://github.com/robertdavidgraham/masscan
It's cool stuff. There are only so many addresses and if you have a botnet it's even easier. Even if you only utilize a single server it's rather easy to do, as long as your provider ignores the thousands of abuse reports that will be generated by IDSes.
> registering the IP with an NS seems to be make it a bigger attractor.
Did you perchance also set up SSL? There's a publicly auditable log of all SSL certificates being issued. I am not aware of a way to query all domain names that get registered, but perhaps your registrar shares data with Alexa or something.
https://www.youtube.com/watch?v=UOWexFaRylM
Here, watch this DEFCON talk (there's a lot of laughs, not just a PowerPoint). These guys do essentially the same thing you do, except they scan the entirety of the Internet (as far as IPv4 addresses go anyway, there are 2^32 of them (4,294,967,296)) - for vulnerabilities in software that attackers could exploit over the Internet. Trust me, 4 ICMP packets are not going to get you a prison sentence.
The software they're using, masscan, is freely available to use on Windows, Mac and Linux - not to mention the fact that with a fast enough connection and the right hardware it'll send out 10 million packets per second.
Since it's not mentioned in the post anywhere, I presume the author didn't know about masscan or felt he wanted to re-implement it on his own shrugs
Me too dude. It's possible with a couple beefy VPSes but it will definitely take a bit longer.
Edit: Check out masscan if you haven't heard of it already, I wish I had the hardware to run that shiz. Though it scans for ports, might be a little bit different.
For hardware we use Intel Core i7 with "just 16Gb" memory and Intel 82599 dual port 10Gbit card, multiple options exist, but you might have some lying around. Very common card.
Software I use iperf when testing bandwidth, you should be able to go close to 10Gbit with recent/typical Linux without much tuning, same with FreeBSD. I recommend Kali Linux. (I dont use Windows much YMMV)
When doing DDoS or security testing, trying to kill devices, we use stuff like: Hping3 time hping3 -c 100000 --faster -S -p 80 $CUST_IP, and later --flood, and then of course test with TCP, UDP and ICMP being the most common types, hping3 --help is your friend. Goal is to turn up attacks until the device breaks
t50 http://t50.sourceforge.net/ which is a little less well-known, but has this wonderful option --protocol t50 which makes it test multiple protocols. It can also do OSPF, IPsec, EIGRP, RSVP etc. "Running T50 with '--protocol T50' option, sends ALL protocols sequentially."
Recommend running it with: date;sudo t50 --flood -s your.spoofed.ip.addr --protocol T50 --frag-offset 10 $CUST_IP & (both fragments and going through multiple protocols, ouch ouch says the firewalls)
also tcpreplay as mentioned by other is very nice for replaying traffic. so you can build a mix of packets using Python Scapy or Ruby packetfu https://code.google.com/p/packetfu/ and then blast it off again and again, quite efficient by preloading data into memory.
Using a single machine you should be able to go well above 1million packets per second and using multiple machines and a switch the sky is the limit. You can also try out the masscan - but I have only played a little with that one. "This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second." https://github.com/robertdavidgraham/masscan
OP already said this, but they are correct, it's actually fairly trivial to find machines running minecraft servers if they are open to the internet, with tools like masscan you can iterate over thousands of IP addresses in minutes.
The easiest way to protect against this is to use a different port number, by default Minecraft uses port 25565, which makes it very easy to find servers, since you only have to check one port each time, however if you pick a random other number there's no easy way to tell if a server is running.
Just to emphasize the open port issue, take a look at masscan:
> This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.
There is no longer any realistic hope of hiding any open port in public IP4 space for any operationally significant amount of time. It is going to be seen, and soon. If it can be seen, the service it provides can be automatically classified and hit with a targeted automatic exploit attempt. The whole process from scan to exploit can be hands-off, and probably is. (And there are likely many entities running automated attacks.) If the exposed service has a known unpatched remote code vulnerability, it’s likely to be attacked successfully at some point soon.
While this is a little bit paranoid and alarmist, from a planning perspective that’s where you need to be.
Setting up a gateway designed for the task is the right way to do it.
Takes about 5 minutes to hit the entire internet with masscan. I get countless masscan pings on my rpi everyday (it identifies itself in the user agent unless the scanning party has changed it).
masscan is much faster than most people think it is.
You can't "hide" on the internet if you have active ports. Every common port with known vulns is getting scanned constantly. It's actually pretty easy to do.
> This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.
If they have a vuln for RDP and are looking for unpatched system still open to the internet they don't need to scan every port on every IP, just 3389. They can find you literally minutes after you turn it on.
>How do you guys secure your game servers?
Stick to the more popular game servers (with many people self-hosting.) Newer ones will have had less "real world" testing and may have security flaws.
But even more important -- always stay up-to-date: If a flaw is found, people can easily scan the entire internet in 5 minutes to find vulnerable servers.
​
>Did you use a relay server to prevent a ddos on your own network?
There are many kinds of DDOS, and using a relay can't prevent all of them. But unless you do something controversial, it's unlikely you will be the subject of a DDOS attack. Even if you are being attacked, disconnecting your router for a few hours often gives you a new IP address.
​
>Any tips and tricks/guides you followed?
If you are paranoid, run it on a guest network and run it on a dedicated computer.
Docker helps a little, but doesn't prevent kernel bugs. Full VMs are more secure -- but it only matters if the game has a security flaw. Some languages (like C/C++) are more likely to have flaws than others.
Packet throughput.
https://github.com/robertdavidgraham/masscan
> Windows and Macs aren't tuned for packet transmit, and get only about 300,000 packets-per-second, whereas Linux can do 1,500,000 packets/second. That's probably faster than you want anyway.
NUT typically listens on port 3493 and HA may be identifying the NUT service based upon the port alone. If that is the case, then you could port scan your private network to see which device(s) are listening on that port using a tool like masscan or nmap. Here is what that would look like with masscan, assuming your systems are somewhere within the 192.168.0.0/16 netblock:
sudo masscan -p 3493 --rate 5000 192.168.0.0/16
Just use Amazon to spin up an EC2 instance, and setup masscan. According to their docs at 100k packets per second a single port scan of the entire internet should take around 10 hours. A machine with 8 cores with 32GB of RAM comes out to about $4 for 10 hours of usage.
Here's a useful thing to remember when opening up public-facing ports: one single person can scan the entire public internet IPv4 range in a matter of minutes. There are search engines that crawl open ports. Any port you open is guaranteed to get hit.
So you want to scan the whole internet for proxy servers? Don't get me wrong this is totally doable, but you are gonna need something a little more robust than the program you wrote. Check out MASSSCAN. According to their docs it can scan the entire internet in 10 hours (per port).
With a 10Gig intel NIC, it only takes a single digit number of minutes to scan all the ports on all the addresses in the IPv4 space using something like massscan.
The "global permanent deployment of IPv6" was at least a year before masscan's first release.
It's legitimate to criticize the shorthand 'scan the Internet' by pointing out an IPv4 tool doesn't touch IPv6, but the shorthand is given with the common understanding most of the 'net traffic and routing is still v4.
Nothing has changed since the tool's release though that make your "once upon a time" and "with the advent" statements correct.
masscan is used by research companies and baddies alike.
​
https://github.com/robertdavidgraham/masscan
​
As others have said, this is life on the internet. Keep your shit patched. The real question is, why do you have an "office web server" exposed to the internet?
If you configure your server software to listen on 0.0.0.0 (which is configured by default) most unwillingly publish their webpage to a wider network - to an assigned domain.
Also most database software used to come with a similar thing out of the box, so discovering servers listening on port 3306 with a regular IP range (and IPv6 is not that hard to scan - when you understand how it works) is not that hard using tools like massscan or going through middle men like shodan.
Are you only wanting to diff the up/down port status? If you only want status and not other nmap features like fingerprints, masscan can probably handle the task better. They did the entire Internet in under an hour at the 2014 release.
I would use massscan
https://github.com/robertdavidgraham/masscan
or heavily modify the timing for your nmap query. for example nmap -T4 -Pn 10.0.0.0/8, the resulting ip can be further examined with more granular options for service or OS detection
Absolutely!
Someone else has suggested a tool called masscan - https://github.com/robertdavidgraham/masscan . iperf/jperf are all well and good - I use them for LAN testing - but this sounds like it'll do an even better job of breaking the link. It's not just straight up bandwidth I need to worry about, it's more the computational and memory load of having a lot of connections being run through the server at the other end I need to test.
Now I'm picturing my test PC all decked out in leather and the DC at the other end is now lit like a proper dungeon, none of this fluoro light business...
Start with massscan. Add a nice database to keep track of the results. Then a pinch of worker queues and custom agents to extract information from the open ports and place it in the database.
Yeah if it your own equipment is is always fine. You ISP isn't going to notice or care, as long as you aren't doing something crazy like running MASSCAN against the entire internet. Even then they are just going to tell you knock it off, or they will disable your service.
Grab a copy of virtual box, and start setting up systems for you to practice against, or check out overthewire.org, hackthebox.eu, and similar sites.
If you feel like you practice environments are no fun or to easy, go sign up at hackerone. They will give you a list of sites that authorize you to try and hack them, assuming you follow the guidelines laid out for each one (it varies from site, to site).
a) Run masscan searching for Eternal blue affected systems or known botnets.
b) Exploit at your discretion and depending on local and target legal jurisdiction and situation.
c) Run nmap.
> it's not an obvious/known target
scanning the whole IPv4 address space can be done in under a day nowadays. Shodan runs continuous scans, it's likely that your server address is in their public database
Read the friendly emails included in this file ;) https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf
You might be right about ISPs, but I have no experiences with contacting them about that.
Pretty much, although, the IP space you are scanning isn't exactly massive. With something like masscan you could enumerate all the potential targets in a few minutes, then proceed to exploit them all automatically, building up an enormous list of now-free WiFi.
For neighbours, scanning "near" subnets (the /24 you are in perhaps) might yield good results, depending on how Eir are doing DHCP assignment.
Another thing is, once you have a huge database of them, you basically have free WiFi fucking anywhere you want. Just write a quick script to match SSID's detected in WiFi scans (say, from wardriving), to ones in the database of leaked SSID/Key info, and boom, sorted.
For the best scan times use masscan. I forget the input format, but it may take CSV. You can throttle it to work as fast or as slow as you'd like. I forget if it offers ping as well: https://github.com/robertdavidgraham/masscan
The top comment until someone claimed the bounty was to a tool that scans the whole ipv4 space for you.
The tool:
https://github.com/robertdavidgraham/masscan
The comment from just 2 hours after OP created this thread:
https://www.reddit.com/r/Bitcoin/comments/3i1l6m/a_small_treasure_out_there_on_the_internet/cucm2n9
Drop logs of people scanning you, it's not interesting data, and it's hardly an attack. Many popular services scan you, many non-popular services scan you, many services scan you in error, many services scan you while being malicious, who cares? Log authentication attempts/etc, sure, but not connections...
Services that will scan you some time this hour:-
Anyway, few sites that will probably scan you at some point this week:-
http://internetpolice.us/ (This is a joke site by the developers of masscan)
Services that will scan you sometime this year:-
Etc...
you could play around with masscan, probably get more attention from dotcio. https://github.com/robertdavidgraham/masscan
Or run a tor relay, even better an exit node. I think your idea is a cool one. Good luck!
I believe what your talking about is https://github.com/robertdavidgraham/masscan but i can't be sure. NMap is pretty much the De-facto scanner for any type of scanning as it has many modes and types of scans to use. I also recommend the shodan.io scanner since it scans ANYTHING online, but for best use you need to have an account and pay for it.
masscan might work. The author added a heartbleed scanning feature back a while ago.
Github = https://github.com/robertdavidgraham/masscan
About = http://blog.erratasec.com/2014/04/using-masscan-to-scan-for-heartbleed.html
Masscan might be what you're looking for.
https://github.com/robertdavidgraham/masscan
I'm not sure what advantages it might have in your situation over nmap, but I've been messing with it lately and it's defiantly a fun tool.
looking at it from the project level, I think there are a couple of things that could be improved:
You shouldn't include an executable in your repo like you have. The standard way is to make a Release
There aren't instrustions on how to build the project. You should include that in the README or make an INSTALL file aswell with instructions. Even better would be to include a Makefile and mention it in the README.
It's standard to put the source into a folder called "src", just tidys up everything.
Here's a completely random example I've found which I consider to be well laid out.
These are aren't hard and fast rules, just general guidelines that I try to follow when releasing code to keep it clean. I'm sure other people will have differing opinions about project structure
EDIT: cleaned up words