Skip to main content
Masscan performs initial host and port discovery across your entire scope at speeds that nmap cannot match. It transmits raw SYN packets without the TCP/IP stack, reaching scan rates of tens of thousands of packets per second. Use it to identify which hosts have open ports before running a slower, more detailed nmap scan. Open NETWORK → Masscan in the sidebar.

Parameters

ParameterDefaultDescription
TargetIP, CIDR, or comma-separated IPs
Port presetcustomPort range to scan (see below)
Ports1-65535Used when preset is custom
Rate10000Packets per second
Randomize hoststrueShuffle host order (--randomize-hosts)
Open onlytrueSuppress closed/filtered (--open-only)

Port presets

PresetMasscan flag
Top 100--top-ports 100
Top 1000--top-ports 1000
Custom-p <ports> (uses the Ports field)

Sudo requirement

Masscan requires raw socket access and must run as root. EtherReaper will display the sudo modal when you click Start Scan. Enter your sudo password once; it is passed to the subprocess via stdin and never stored in shell history.

Running a scan

1

Enter target

Specify a CIDR range (e.g. 10.10.10.0/24), single IP, or comma-separated list. Large lists are written to a temp file and passed with -iL.
2

Set rate

The default rate of 10000 pps is safe for most lab environments. Lower it if you are concerned about triggering IDS alerts or saturating a slow link.
3

Choose port preset or enter custom ports

For a full-scope sweep, use Top 1000 or set custom ports to 1-65535 (slow — adjust rate accordingly).
4

Enter sudo password

Complete the sudo modal to launch the scan.
5

Review results in Scan History and Hosts

Masscan writes discovered open ports to the hosts database as the scan completes.

Output file

Masscan results are saved as XML: 
recon/masscan_<YYYYMMDD_HHMMSS>.xml
Ownership is fixed back to the operator user after the scan completes.

How results populate the database

After masscan exits, EtherReaper parses the XML and for each host with open ports:
  • Inserts or replaces a row in the hosts table with the IP and comma-separated open port list.
  • Inserts rows into scan_results for each open port (port, protocol, state).
  • Updates the matching scope entry status to scanned.
Masscan does not perform service detection — the services column in hosts will be empty after a masscan-only run. Follow up with an nmap scan to populate service names and versions.
Masscan and nmap complement each other. The typical sequence for a new engagement:
1

Masscan — full port discovery

Run masscan against your full scope with Top 1000 or a custom wide port range. This quickly identifies which hosts are alive and what ports are open.
2

Nmap — service detection

Run nmap with the Default or Thorough preset against the hosts masscan found. Nmap merges its results (ports, services, versions, OS) into the same hosts table rows that masscan populated.
3

Web Screenshots — fingerprint web services

Use the Web Applications database filter in the Web Screenshots tool to automatically target hosts with confirmed open web ports.
Very high scan rates (100k+ pps) can destabilize network equipment and are detectable by most IDS/IPS systems. In authorized assessments, discuss acceptable rates with the client before scanning.

Build docs developers (and LLMs) love

Get started for freeTalk to us