Daniel Miessler's Blog, page 111

For the best reading experience, I recommend you view this content natively at: FaceID Adds a Step for Apple Pay, and For Good Reason.

—

FaceID is an upgrade not just because it’s more accurate than TouchID, or because it’s a faster way to authenticate—it’s an upgrade because you are basically removing the authentication step entirely.

Source: FaceID is Brilliant Because It’s Subtraction Instead of Addition

I wrote that about FaceID itself, and now that I have the new iPhone X I have had a chance to use it for Apple Pay.

The interesting thing is that while we lost an authentication step with FaceID, we gained one with Apple Pay.

The issue is that you have to include an explicit action when initiating Apple Pay no matter what. It cannot just be the proximity of the reader. It that were the only requirement then people would set up a charge on ad-hoc, mobile readers and then sneak up and charge things in your pocket or on your wrist in public places.

That would be bad. So it requires you to do something.

With Apple Pay and TouchID the $something was holding your thumb on the home button and bringing your phone close to the reader.
With Apple Pay and FaceID the $something is double-clicking the right button.

The double-click on the side is also how you enable Apple Pay on the Apple Watch.

But the TouchID with Apple Pay on the phone effectively felt like a step was removed because you had to hold the phone anyway. So if you just held your phone from the bottom, with your thumb on the sensor, you basically auto-authenticated the transaction.

So TouchID/ApplePay ended up being one step (hold phone to reader), while FaceID is currently two steps (hold phone to reader and double-click the right button).

The reason Apple can’t just use FaceID auth to authenticate Apple Pay transaction is (probably) because when you’re using your phone—say on a Subway—you will be authenticated. So at that point someone could just slide a reader under your phone and instantly authenticate a transaction.

For this reason you need that extra double-click step.

Anyway, just thought that was interesting.

—

Read or comment at FaceID Adds a Step for Apple Pay, and For Good Reason.

For the best reading experience, I recommend you view this content natively at: FaceID Removes an Authentication Step, Except for Apple Pay Where it Adds One.

—

FaceID is an upgrade not just because it’s more accurate than TouchID, or because it’s a faster way to authenticate—it’s an upgrade because you are basically removing the authentication step entirely.

Source: FaceID is Brilliant Because It’s Subtraction Instead of Addition

I wrote that about FaceID itself, and now that I have the new iPhone X I have had a chance to use it for Apple Pay.

The interesting thing is that while we lost an authentication step with FaceID, we gained one with Apple Pay.

The issue is that you have to include an explicit action when initiating Apple Pay no matter what. It cannot just be the proximity of the reader. It that were the only requirement then people would set up a charge on ad-hoc, mobile readers and then sneak up and charge things in your pocket or on your wrist in public places.

That would be bad. So it requires you to do something.

With Apple Pay and TouchID the $something was holding your thumb on the home button and bringing your phone close to the reader.
With Apple Pay and FaceID the $something is double-clicking the right button.

The double-click on the side is also how you enable Apple Pay on the Apple Watch.

But the TouchID with Apple Pay on the phone effectively felt like a step was removed because you had to hold the phone anyway. So if you just held your phone from the bottom, with your thumb on the sensor, you basically auto-authenticated the transaction.

So TouchID/ApplePay ended up being one step (hold phone to reader), while FaceID is currently two steps (hold phone to reader and double-click the right button).

The reason Apple can’t just use FaceID auth to authenticate Apple Pay transaction is (probably) because when you’re using your phone—say on a Subway—you will be authenticated. So at that point someone could just slide a reader under your phone and instantly authenticate a transaction.

For this reason you need that extra double-click step.

Anyway, just thought that was interesting.

—

Read and comment at: FaceID Removes an Authentication Step, Except for Apple Pay Where it Adds One.

Become a member to get access to special content, ask AMA questions, and participate in live events.

Start Membership

Stay curious,

~Daniel

For the best reading experience, I recommend you view this content natively at FaceID is Brilliant Because It’s Subtraction Instead of Addition.

—

The iPhone X

I think one of the best ways to think about the advancement that FaceID represents is to realize that it’s removing an action instead of adding one.

True perfection is achieved not when you have nothing left to add, but when you have nothing left to take away. ~ Antoine de Saint-Exupery

FaceID is an upgrade not just because it’s more accurate than TouchID, or because it’s a faster way to authenticate—it’s an upgrade because you are basically removing the authentication step entirely.

A great way to visualize this point is to imagine a similar handheld device from a superior alien race. Assuming they needed such an interface or display at all, they would simply handle their device normally and it would still allow them to perform sensitive actions.

To an unfamiliar observer it might seem like no authentication took place, like one could just pick up any device and start taking sensitive actions on their behalf. But in reality all of that functionality had just been removed from the workflow and done automatically. It’s security made invisible and effortless.

That’s what FaceID is, and why it represents such an improvement: it adds security while removing friction.

That—even more than its accuracy or speed—is what makes it the future.

Notes


And before you say that Samsung did this a long time ago, keep in mind that it doesn’t count if you just add convenience but also remove security. That’s easy to do.

—

You can read and comment on the original piece at FaceID is Brilliant Because It’s Subtraction Instead of Addition.

To gain access to special content, consider becoming a subscriber.

Monthly:  $5, $10, $25

One-time:  $5, $10, $25

Thank you,

Daniel

For the best reading experience, I recommend you view this content natively at Unsupervised Learning: No. 99.

—

This is episode No. 99 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: Information Warfare, AI vs. CAPTCHA, Google Bug Bug, DARPA Drone Swarms, USB Fail, Medical Extortion, tech news, human news, ideas, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Security news 





Russia's information warfare campaign seems to have been far more effective than first thought. They evidently reached 126 million users on Facebook, published more than 131,000 tweets, and uploaded over 1,000 videos to YouTube. Link



A new AI based on the brain's visual cortex has massively wrecked CAPTCHA security, giving over 2 in 3 success in many runs, including against re-CAPTCHA. Link



A major bug was found in Google's bug database software that allowed a researcher to look at all bugs in the system. There's some controversy because he only received $15,500 for his findings, and many are saying its worth far more than that. He points out at the end of the post, however, that it makes sense to have a lower payout since the bugs are ephemeral. Great bug and great writeup. Link



ISIS has been putting bombs on drones for a while now, and now Mexican drug cartels are doing the same thing. They're putting potato bombs on quadcopters. Link



DARPA wants US ground troops to be accompanied by swarms of small, flying or crawling robots in a project called OFFSET (Offensive Swarm-enabled Tactics Initiative). Well, we knew it was coming of course, but it's still surreal to read about it happening in realtime. Link



Someone found a USB drive full of details about London Heathrow's airport security, as well as travel details and protection plans for Queen Elizabeth II and other VIPs. Link



Twitter is banning ads from RT and Sputnik due to evidence that they are part of a concerted effort to increase social strife in the United States, especially related to Russia and the 2016 election. They will also begin labeling political ads. Link



It appears more and more companies are looking at AI for infosec help not necessarily because they think it'll work, but because there aren't enough trained humans to do the work. Link



Hackers broke into a high-profile plastic surgery clinic and stole tons of extremely sensitive images of VIP clients, including celebrities, royals, etc. Link





Technology news 





Twitch seems to be winning the gaming streaming battle against Google. Their concurrent streamers grew 67% in Q3, as YouTube gaming declined. This is expected for me because platforms like this are very similar to social media platforms, and Google seems utterly incapable of making a good interface / community. Link



Uber now lets you make multiple stops on the way to your destination, both before you start and while enroute. This is great news for many who realize they need to pick up something before they get where they're going. Link



Amazon now has over 540,000 employees, and net sales increased in Q3 from $32.7 billion to $43.7 billion. What a force. Link



Google's ad business is now larger than that of Facebook, Alibaba, Baidu, Twitter, Amazon, and Snap combined. Link



91% of payments in Australia are contactless, compared to 45% in the UK, and only 5% in the US. 5%? How embarrassing. Apple Pay seems to account for around 90% of the transactions in the markets its available. Link



IBM has simulated a 56 qbit quantum computer in a traditional architecture, and using only 4.5 terabytes of memory. Link





Human news 





Millennials may be choosing brands that make them feel safe. Link



PayPal is now worth more than American Express. Link



AI has been used to find suicidal tendencies in brain scan data. Link



A new study has again indicated that high IQ is associated with various psychological disorders. Link



Walmart is expanding its in-store robot program, but is quick to assure people that they won't replace humans. Hilarious. Link



The top 20% of incomes pay 95% of taxes. Link



GE is moving away from the forced annual performance review model that it helped pioneer, and many other companies are doing the same. Link





Ideas 





InfoSec Needs to Embrace Tech Instead of Ridiculing It Link



The New Luxury of Good Information Link



An Idea on How to Build a Conscious Machine Link



Maybe the Current Trend for Society is Fragmentation Link



On the Luxury of Abandoning a Nice Corporate Job for the Freedom of Freelancing Link



Do all predictions of the future collapse into these four themes? 1) Growth that keeps going, 2) Transformation upending the past, 3) Collapse of the present order, and 4) Discipline imposed. Link



Patreon continues to improve its tools for helping content creators grow and monetize their audiences. Another interesting player in that space is Memberful, which I use myself. I think we're basically witnessing a peer-to-peering of value creation and consumption. Link



Dungeons & Dragons is making a major comeback, and I think it's because role-playing games provide alternate meaning loops. As a life-long gamer myself I see the allure, but can't help but see it as a problem as well. It's possible to role-play as a creative outlet, which I think is good, but it's also possible to do as a substitute for succeeding in real life, and that's not good. Link





Discovery 

 

For the best reading experience, I recommend you view this content natively at: On the Luxury of Abandoning a Nice Corporate Job for the Freedom of Freelancing.

—

I think in the future these are the types of statements from rich people that are going to cause riots in the street.

I was just reading the post that this quote came from and I was having feelings. First, it’s a great post. Definitely valuable for anyone looking to up-level from just having a great corporate job into true career bliss.

Definitely admirable, and the author did a great job talking us through it.

But the whole time I was reading it I kept thinking of all these books I just read about the middle working class, who is essentially clawing their way through every single hour of every single day.

They’re working at Walmart. They’re driving Uber. They’re raising kids. They struggle to pay rent, to buy food, to pay for healthcare. And they’re trying to be parents at the same time. And that’s the bottom 2/3 or so (people disagree about the numbers) of everyone who works.

Imagine them on a midnight shift at Walmart, stocking shelves because the new robot that just arrived isn’t good enough at it yet, working 30 hours a week here on random days that don’t qualify for benefits by design. And imagine reading that working a job that axes your flow is not an option.

The axing of flow. As a priority. What an amazing life to have where this is your problem.

Anyway, then there are some who make decent money, but aren’t doing well really. They make 40-70K a year, or maybe 80K as a household. They’re struggling, but they’re getting by.

And then we have people like this author (and me too, I must say), who are so fucking blessed that we can say things like she says in this piece. More goodies like:

Leaving your job is scary enough. Quitting without a solid plan is even scarier. But damn, is it ever exhilarating.

Exhilarating. Leaving your nice corporate job. That pays more than probably 90% of all jobs in the country, where you probably do far less work.

When I hear it on its own I want to give her a high-five. Great job! Nicely done. Reclaim the soul, for sure.

But when I hear it in the context of the struggle that most people are facing, I can’t help but feel scorn. Scorn for her for being tone deaf, and scorn for the world for having this much disparity in the livelihood of people.

Her post should apply to everyone, not just the top 10% that it actually applies to.

The only real fault I see in what she wrote is that she seems unaware of her blessed state. It’s almost like she’s saying this to the world. Quit your job! It’s so much better. A bit challenging, but worth it!

News bulletin: very few people in the entire world work for fun, or find anything redeeming about work whatsoever. They do it for survival and nothing more.

I feel like the entire piece could be fixed by just saying—somewhere in the post—that she feels lucky to even have this option, because she knows most do not. Sweet. That’s all I needed to hear.

But as it stands it just sounds disconnected from the world, which I think is happening more and more. People live in their little tiny worlds and are unable to empathize with the plight of The Other.

Again, it was a great piece. I just couldn’t help but feel like she was disrespecting those who would do anything for the job she escaped from.

But that’s not her fault. That’s the world’s fault. That’s all of our fault.

—

You can read and comment on the original piece at On the Luxury of Abandoning a Nice Corporate Job for the Freedom of Freelancing.

To gain access to special content, consider becoming a subscriber.

Monthly:  $5, $10, $25

One-time:  $5, $10, $25

Thank you,

Daniel

For the best reading experience, I recommend you view this content natively at: It’s Not Bias When Artificial Intelligence Tells Us Something True and Uncomfortable.

—

image by thinkstock

I think many are confused about bias in artificial intelligence.

I think what it should mean is when you present training data to an algorithm that doesn’t represent reality. So you thought you were telling the AI how the world really is, but for some sampling-related reason you fail to do that.

The result is poor predictive capabilities or some other negative effect.

What I think we could be seeing a lot of though, is situations where the algorithms are presented with accurate data about the world, but the analysis produced by the AI is offensive in some way.

This could come in a couple of forms that I can think of immediately:

The AI tells us something about reality that is uncomfortable.
The AI tells creates a stereotype of groups by surfacing options for “people like them”.

In the first case, analysis of larger and larger datasets is likely to reveal truth in an uncomfortable way, for example maybe saying that Asian women don’t often select black men as potential dates. This is reality of course, but in the polite and insulated world of common courtesy we like to believe everyone likes everyone else the same.

Big data analysis and AIs will peer through political correctness and show us things we don’t want to see or talk about.

In the second case, you might tell an AI that you’re a Trump supporter who didn’t go to college, and it might recommend a local gun shop or a NASCAR event. Or maybe a way to make money in a tough economy. And people might find that rude.

How dare they assume I’m struggling financially and like country music just because I voted for Trump?

Now imagine all the various ways this awkwardness could play out, for different ethnic groups, different socio-economic groups, education levels, etc.

Basically, we need to understand the difference between AI having bad training data in the sense that it doesn’t represent reality, vs. algorithms producing views of reality that make different groups unhappy.

There will be tremendous pressure to treat case 2 as case 1 for political reasons.

Oh, the algorithm was broken; we’re very sorry.

But in reality what the engineers and product teams might do is simply write a hard rule that removes a given analysis or recommendation, even though feeding more and more quality data about the world will yield the same results.

Another example might be an algorithm recommendation for women in Shanghai for a product that whitens their skin. If a PC group in San Francisco hears about this they’ll say the algorithm is biased towards white people, and against people of color.

But the truth might be that it was a great product match, because so many women exactly like her user want that product, and in fact she did too.

In short, algorithms aren’t biased for revealing a version of the world that we don’t want. They’re only biased if they fail to represent reality. We have to understand this distinction, and work to keep the line between these two situations as bright as possible.

And perhaps it’s ok to tweak algorithms to not produce results that could be offensive to anyone. That’s a product decision that people should be allowed to make. But I have a feeling that companies who lean strongly in this direction will face fierce competition from those who let unpleasant truth shine through.

I think the better algorithms get, and the more data they see, the more insightful and potentially awkward truths will be revealed to us.

We will simply have to acclimate to this reality as a waste product of machine learning.

—

You can read and comment on the original piece at It’s Not Bias When Artificial Intelligence Tells Us Something True and Uncomfortable.

To gain access to special content, consider becoming a subscriber.

Monthly:  $5, $10, $25

One-time:  $5, $10, $25

Thank you,

Daniel

For the best reading experience, I recommend you view this content natively at: The Difference Between Narcissism and Self-Esteem.

—

Well this explains a lot.

Whereas self-esteem tends to be at its lowest in adolescence, and slowly increases throughout life, narcissism peaks in adolescence and gradually declines throughout the lifespan. Therefore, the development of narcissism and high self-esteem show the mirror image of each other throughout the course of human development.

Source: Narcissism and Self-Esteem Are Very Different – Scientific American Blog Network

I’ve always wondered why you shouldn’t trust someone who peaked in high school, and perhaps this is part of the reason.

Maybe the best people have high self-esteem, but low narcissism, and so anyone who was confident and happy in high school probably had the latter.

It would also explain why so many of them tend to be miserable later in life.

Thoughts?

—

You can read and comment on the original piece at The Difference Between Narcissism and Self-Esteem.

To gain access to special content, consider becoming a subscriber.

Monthly:  $5, $10, $25

One-time:  $5, $10, $25

Thank you,

Daniel

For the best reading experience, I recommend you view this content natively at: The New Luxury of Having Good Information.

—

art by Sarah Walker

There’s something of a trend right now to identify various things that only the rich seem capable of these days and calling those luxuries. Some examples include: boredom, creativity, caring about the environment, philanthropy, etc.

They’re things that, as it turns out, have a lot of prerequisites—most important among them being time and money.

It’s not easy to be bored and creative when you work multiple jobs trying to pay for food, shelter, and healthcare. And in that state of mind the environment isn’t likely near the top of the concern list. Now add to that all manner of things that come with free time and spending money.

So one way to see these things is as luxuries. Another way to see them is as major advantages. And I thought of another one.

Good information.

Everyone is talking about how bad our information sources are, and how it’s impossible to know what to believe and what not to believe. I get it. If you’re not educated, if you’re being bombarded with multiple attractive narratives that explain the hardship in your life, and if you have no way to detect deception—sure, that’s a problem.

But it’s not a problem for me, or for most people I spend time with.

Why? Because we went to college. Because we were taught about how media influences the world. We were taught about bias, and perspective, and nuance, and context, and all the common pitfalls of interpreting information. That doesn’t mean we’re immune to bias, but at least we know it’s there—both in what we read and in ourselves.

I think one big problem we have is too many top 10% types thinking everyone has the ability to tell good information from bad.

I don’t think most do. I think it’s probably very rare. I think to the majority of Americans, all the news and media looks the same. They can’t tell the difference between an expert and a con, a spin job and solid journalism, etc. So they do what makes sense to them and pick a source that resonates with their emotions.

So, just like philanthropy and activism and creativity—knowing the difference between good and bad information turns out to be an advantage for the rich. And not a minor one, either.

Being able to know what’s actually happening in the world vs. not—that’s foundational. If you’re misguided about how the world works then you’re less likely to get a good job, to raise your kids well, to live a healthy life, etc. It’s a near guarantee of hardship anywhere in a modern society.

I’m not sure of a solution yet, but I do know it’s giving me pause. It’s making me think a bit more before looking down on the idiot who can’t tell fact from fiction. They simply might not have the tools.

—

You can read and comment on the original piece at The New Luxury of Having Good Information.

To gain access to special content, consider becoming a subscriber.

Monthly:  $5, $10, $25

One-time:  $5, $10, $25

Thank you,

Daniel

art by Sarah Walker

There’s something of a trend right now to identify various things that only the rich seem capable of these days and calling those luxuries. Some examples include: boredom, creativity, caring about the environment, philanthropy, etc.

They’re things that, as it turns out, have a lot of prerequisites—most important among them being time and money.

It’s not easy to be bored and creative when you work multiple jobs trying to pay for food, shelter, and healthcare. And in that state of mind the environment isn’t likely near the top of the concern list. Now add to that all manner of things that come with free time and spending money.

So one way to see these things is as luxuries. Another way to see them is as major advantages. And I thought of another one.

Good information.

Everyone is talking about how bad our information sources are, and how it’s impossible to know what to believe and what not to believe. I get it. If you’re not educated, if you’re being bombarded with multiple attractive narratives that explain the hardship in your life, and if you have no way to detect deception—sure, that’s a problem.

But it’s not a problem for me, or for most people I spend time with.

Why? Because we went to college. Because we were taught about how media influences the world. We were taught about bias, and perspective, and nuance, and context, and all the common pitfalls of interpreting information. That doesn’t mean we’re immune to bias, but at least we know it’s there—both in what we read and in ourselves.

I think one big problem we have is too many top 10% types thinking everyone has the ability to tell good information from bad.

I don’t most do. I think it’s probably very rare. I think to the majority of Americans, all the news and media looks the same. They can’t tell the difference between an expert and a con, a spin job and solid journalism, etc. So they do what makes sense to them and pick a source that resonates with their emotions.

So, just like philanthropy and activism and creativity—knowing the difference between good and bad information turns out to be an advantage for the rich. And not a minor one, either.

Being able to know what’s actually happening in the world vs. not—that’s foundational. If you’re misguided about how the world works then you’re less likely to get a good job, to raise your kids well, to live a healthy life, etc. It’s a near guarantee of hardship anywhere in a modern society.

I’m not sure of a solution yet, but I do know it’s giving me pause. It’s making me think a bit more before looking down on the idiot who can’t tell fact from fiction. They simply might not have the tools.

—

Original post: The New Luxury of Good Information.

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can easily indulge in fancy coffee, please consider becoming a supporter.

Monthly:  $5, $10, $25

One-time:  $5, $10, $25

Thank you,

Daniel

masscan run with no parameters

Basics
Background
Installation
Single-port Scans
Multi-port Scans
Scan Top Ports

Options
Scanning Fast
Excluding Hosts
Saving Your Configuration
Output
Nmap Functionality

Quickstart
Finding Web Ports on a Network
Finding All Ports on Network
Finding the Top 10 Ports on a Network
Scan the Whole Internet for a Port
Scan the Whole Internet for a All Ports

Basics

Everyone knows nmap as the rightful king of the port scanners, and it still remains the most versatile option today. But for pure speed there have some that have surpassed it, including scanrand, unicornscan, zmap, and now masscan.

Asynchronous transmission means the scanner doesn’t have to wait for replies before sending out probes.

masscan was created for the sole purpose of scanning the entire internet as fast as possible, according to its author Robert Graham, this can be done in less than 6 minutes at around 10 million packets per second.

In this short tutorial we’re going to learn the basics and provide some real-world examples.

If you just need syntax to run with you can jump ahead to the Quickstart.

Installation

Installing masscan is fairly straightforward whether you’re using Linux or macOS.

This will install the binary under bin/masscan; you’ll have to move it to run it from somewhere else.

# Install on Debian/Ubuntu

$ sudo apt-get install clang git gcc make libpcap-dev

$ git clone https://github.com/robertdavidgraham/...

$ cd masscan

$ make

brew is the main command for Homebrew, which you can get here.

# Install on macOS

$ brew install masscan

Single-port Scans

Many people use masscan to scan very large networks (such as the internet) on one or just a few ports.

masscan has been designed to work much like nmap, which makes it instantly approachable for thousands of security professionals and enthusiasts.

# Scan a class B subnet for port 443

$ masscan 10.11.0.0/16 -p443

Multi-port Scans

You can also scan multiple ports using a comma as a separator.

# Scan a class B subnet for port 80 or 443

$ masscan 10.11.0.0/16 -p80,443

Scan a Range of Ports

Or you can scan a range of ports using the dash.

# Scan a class B subnet for ports 22 through 25

$ masscan 10.11.0.0/16 -p22-25

Scan n Number of nmap‘s Top Ports

In addition you can use nmap’s ‐‐top-ports option, which lets you specify the top n number of the most common ports to scan. So if you give it ‐‐top-ports 100 it’ll scan the top 100 most common ports discovered according to nmap.

If you don’t have the ‐‐top-ports option available to you, make sure you have the latest version of masscan.

# Scan a class B subnet for the top 100 ports

$ masscan 10.11.0.0/16 ‐‐top-ports 100

Options

The default masscan options

You can check masscan’s options with the ‐‐echo switch.

Now that we’ve covered some basics, let’s look at some additional tweaks we can make.

Scanning Fast

Using the settings above you’ll definitely get results, but the speed will be quite average. As discussed already, the whole point of masscan is to be quick, so let’s speed it up.

By default, masscan scans at a rate of 100 packets per second, which is quite slow. To increase that, simply supply the -rate option and specify a value.

# Scan a class B subnet for the top 100 ports at 100,000 packets per second

$ masscan 10.11.0.0/16 ‐‐top-ports 100 -rate 100000

Scanning this fast (or even slower) is likely to cause all sorts of problems, including getting your system blocked on the internet, getting abuse complaints to your hosting provider, etc. Don’t just start scanning large networks without setting groundwork first.

How fast you can scan is going to depend on a lot of factors, including your operating system (Linux scan scan far faster than Windows), the resources of your system, and—most importantly—your bandwidth. In order to scan very large networks at high speeds you’ll need to use rates of a million or more (-rate 1000000).

Excluding Targets

Because much of the internet can react poorly to being scanned—and also just out of sheer courtesy—you may want or need to exclude some targets from your scans. To do this, provide the --excludefile switch along with the name of the file that includes lists of ranges to avoid.

# Scan a class B subnet, but avoid the ranges in exclude.txt

$ masscan 10.11.0.0/16 ‐‐top-ports 100 ‐‐excludefile exclude.txt

This will produce the notification at the top of your scan that:

exclude.txt: excluding 1 range from file

Saving Your Configuration

As we mentioned earlier, you can show the current masscan options using --echo, but you can also save them to a file using the standard method.

# Scan a class B subnet, but avoid the ranges in exclude.txt

$ masscan 10.11.0.0/16 ‐‐top-ports 100 ‐‐echo > scan.txt

Output

First, you can just use the standard Unix redirector to send output to a file:

$ masscan 10.11.0.0/16 ‐‐top-ports 100 > results.txt

But in addition to that you also have the following output options:

-oX filename: Output to filename in XML.
-oG filename: Output to filename in Grepable format.
-oJ filename: Output to filename in JSON format.

Nmap Functionality

As mentioned initially, masscan is built to work much like nmap, which makes it familiar to many security people. Here are some of the other nmap-like options that are available:

You can see the nmap-like functionality by passing the --nmap switch.

-iL filename: Read inputs from a file.
‐‐exclude filename: Exclude a network on the command line.
‐‐excludefile: Exclude networks from a file.
-S: Spoof source IP.
-v interface: Verbose output.
-vv interface: Very verbose output.
-e interface: Use specified interface.
-e interface: Use specified interface.

Quickstart

Ok, here are some quick and functional scan examples that you can start with and then tweak to your taste and requirements.

We’re assuming here that you want to scan quickly.

Scan a Network for Web Ports

$ masscan 10.11.0.0/16 -p80,443,8080 -rate 1000000

Scan a Network for the Top 10 Ports

$ masscan 10.11.0.0/16 ‐‐top-ten -rate 1000000

Scan a Network for All Ports

$ masscan 10.11.0.0/16 -p0-65535 -rate 1000000

Scan The Internet for A Port

We’ve increased the speed to 10 million per second, which will max you out.

$ masscan 0.0.0.0/0 -p443 -rate 10000000

Scan The Internet for All Ports

In general you should expect bad and/or amazing things to happen if you try this.

$ masscan 0.0.0.0/0 -p0-65535 -rate 10000000

Summary

There are other options available that you can get from following the readme.md for the source code repository, but this primer should get you up and running nicely.

Happy (speed) scanning!

Notes


There are number of defaults that are enabled with masscan that need to be defined with nmap simply because the scanners work in different ways. For example, masscan always treats all hosts as online, scans are always randomized, it’s a SYN-based scan, it never does DNS resolution, and scans are performed using raw libpcap.
One thing that’s fairly unique to masscan is that you can easily pause and resume scans. When you press ctrl-c a file is created called paused.conf that has all the settings and progress from the scan. You can resume that scan with ‐‐resume paused.conf.
The project readme.

—

Original post: A Masscan Tutorial and Primer.

I spend 5-20 hours a week collecting and curating content for the site. If you're the generous type and can easily indulge in fancy coffee, please consider becoming a supporter.

Monthly:  $5, $10, $25

One-time:  $5, $10, $25

Thank you,

Daniel