masscan icon indicating copy to clipboard operation
masscan copied to clipboard

Published 20 hours ago verified publisher icon robertdavidgraham

Provide a default exclude list of 'bad' ip ranges

Open reedjones opened this issue 3 years ago • 7 comments

Not really a bug or issue but,

In the readme it says:

Scanning the entire Internet is bad. For one thing, parts of the Internet react badly to being scanned. For another thing, some sites track scans and add you to a ban list, which will get you firewalled from useful parts of the Internet. Therefore, you want to exclude a lot of ranges.

I'm wondering is there any known comprehensive list of 'bad' ip ranges?

I've found a few like this

Just wondering if there is any kind of official/comprehensive list?

reedjones avatar Dec 16 '21 04:12 reedjones

Probably not. What are you trying to avoid? It appears most of the ranges in the URL you linked are government ranges.

GodlyEcstasy avatar Dec 17 '21 10:12 GodlyEcstasy

Yeah that's the point. It says in readme that masscan can scan the whole internet but that you shouldn't. Trying to void getting on some blacklist for scanning some military network or something ;)

reedjones avatar Dec 29 '21 01:12 reedjones

Note- In the nmap documentation it says that they do this (filter out 'bad' ranges) when the iR (random hosts) flag is set. maybe something to look into

reedjones avatar Jan 05 '22 06:01 reedjones

Note- In the nmap documentation it says that they do this (filter out 'bad' ranges) when the iR (random hosts) flag is set. maybe something to look into

See the https://nmap.org/book/host-discovery-specify-targets.html.

Nmap automatically skips certain undesirable IPs, such as those in private, multicast, or unallocated address ranges.

That's it.

yfdyh000 avatar Mar 01 '22 21:03 yfdyh000

what IPs does nmap skip? https://github.com/nmap/nmap/blob/master/libnetutil/netutil.cc#L427:L485

0.0.0.0/8 is IANA Reserved 127.0.0.0/8 Loopback 10.0.0.0/8 is reserved for private nets by RFC1918 169.254.0.0/16 is reserved for DHCP clients seeking addresses RFC3927 172.16.0.0/12 is reserved for private nets by RFC1918 192.0.2.0/24 is reserved for documentation and examples RFC5737 192.168.0.0/16 is reserved for private nets by RFC1918 192.88.99.0/24 is used as 6to4 Relay anycast prefix by RFC3068 198.18.0.0/15 is used for benchmark tests by RFC2544 198.51.100.0/24 is reserved for documentation RFC5737 203.0.113.0/24 is reserved for documentation RFC5737 224.0.0.0/4 is all multicast stuff 240.0.0.0/4 is IANA reserved

notably missing is 100.64.0.0/10 reserved for shared address space RFC6598 maybe I should submit a PR right ;)

see also https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

dingusgh avatar Mar 03 '22 08:03 dingusgh

ARIN Reserved IPv4 Address CIDR Blocks: https://gist.github.com/sickcodes/5e72643852e301aac84cf34a0348ef09

0.0.0.0/8
0.0.0.0/32
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.0.0/29
192.0.0.8/32
192.0.0.9/32
192.0.0.10/32
192.0.0.170/32
192.0.0.171/32
192.0.2.0/24
192.31.196.0/24
192.52.193.0/24
192.88.99.0/24
192.168.0.0/16
192.175.48.0/24
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
240.0.0.0/4
255.255.255.255/32

tee -a myscan.conf <<EOF
excludefile = exclude.txt
EOF

masscan ... -c myscan.conf

sickcodes avatar Mar 31 '22 20:03 sickcodes

There's a suggested exclude.conf in the repo itself: https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf

flotwig avatar Apr 15 '24 11:04 flotwig