… and acutely aggressive. Scanning for particular weaknesses in common software needs to start somewhere. The kill chain starts with recon. What better way to eliminate wasted efforts than getting a shiny new hit list on an hourly basis.
Introducing MASSCAN, a Mass port scanner.
An Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine. It’s open source, published by a guy in the open, funded by a bitcoin wallet (0.6 bitcoins).
A nation-state or lone wolf tool.
Often, scanning software such as this is used to sweep massive sections of the internet, but can be used to cover anything from swaths of IP addresses that are assigned from macro regions like Europe, North America, Asia, to organisational assignments, like your local telecom or that insurance company down the road. Reasonable available power and reporting capabilities can easily run on micro-hardware deployed physically inside your organisation. Devastating reporting capabilities when probing from inside the perimeter defense.
Are you watching?
RiPPUL caught this drive-by scan on one of our customer’s sites. Our Managed Security Operations Centre constantly monitors networks for signatures in web logs like this.
x.x.x.x (y.y.y.y) – – [14/May/2019:14:40:33 +0000] “GET /admin.php HTTP/1.1” 302 215 “-” “masscan/1.0 (https://github.com/robertdavidgraham/masscan)”
You must protect your devices and prevent these scanners from further targeting your Internet-available applications. While solutions may involve IPS, Dynamic Firewall Rules, or IP Blacklists, we had already advised and implemented an effective defense where the /admin.php page never exists in the first place. Change it, filter it, watch it. Defense in depth. If you have the option, why not change it quickly to /random1234admin.php. Note the 302 redirect is simply a “page not found template”, which dissuades scanners more than 404’s do. That’s a psychological argument to be made in another post about “knowing your adversary”.
Activity surrounding the development of this tool is on the rise.