Home Zmap - Powerful Scanning Tool
Post
Cancel

Zmap - Powerful Scanning Tool

Zmap - The Internet Scanner

Zmap can scan Entire Internet in 45 Minutes with 1 Gbps Internet connection

Development

Zmap was developed in 2013 by a team of researchers at the University of Michigan (David Adrian, Zakir Durumeric, Gulshan Singh, and J. Alex Halderman). It was designed to be able to scan the entire Internet for information security purposes, rather than scanning a single IP or range of IP’s. With a 1 Gigabit connection, one can scan the entire Internet for single port in about 45 minutes! This same scan would take months using nmap.

Speed

This type of speed opens up all new possibilities for scanning that we couldn’t even imagine before. For instance, one of the developers of Zmap was able to estimate power outage during superstorm Sandy by scanning all the IP addresses in the area of the storm and then extrapolating from that information what area had power and which did not. In addition, this tool can be used to determine when and how many systems adopt new technologies around the world. The possibilities of using Zmap seem limitless for estimating the attack surface of the global internet!

Some More

In essence, Zmap can provide us almost a real-time picture of the Internet attack surface. This is precisely what a service such as CenSys attempts to do using Zmap to collect the data.

Zmap achieves its speed by using cyclic multiplicative groups. This enables ZMap to scan the same space roughly 1,300 times faster than Nmap (nmap sends out probes and waits for the response before sending the subsequent probe). The ZMap software takes every number from 1 to 2 to power of 32 (the IPv4 address space is 32 bits) and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order.

Working Model ZMap Scanning Model

Installing

Zmap is present in the Kali repository so you can install from there

1
sudo apt install zmap

Zmap Help

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
┌──(bhaskar㉿anon)-[~]
└─$ zmap -h -o ~/Desktop/zmap.txt
Usage: zmap [OPTION]... [SUBNETS]...
A fast Internet-wide scanner.

Basic arguments:
  -p, --target-port=port        port number to scan (for TCP and UDP scans)
  -o, --output-file=name        Output file
  -b, --blacklist-file=path     File of subnets to exclude, in CIDR notation,
                                  e.g. 192.168.0.0/16
  -w, --whitelist-file=path     File of subnets to constrain scan to, in CIDR
                                  notation, e.g. 192.168.0.0/16

Scan options:
  -r, --rate=pps                Set send rate in packets/sec
  -B, --bandwidth=bps           Set send rate in bits/second (supports suffixes
                                  G, M and K)
  -n, --max-targets=n           Cap number of targets to probe (as a number or
                                  a percentage of the address space)
  -t, --max-runtime=ses         Cap length of time for sending packets
  -N, --max-results=n           Cap number of results to return
  -P, --probes=n                Number of probes to send to each IP
                                  (default=`1')
  -c, --cooldown-time=secs      How long to continue receiving after sending
                                  last probe  (default=`8')
  -e, --seed=n                  Seed used to select address permutation
      --retries=n               Max number of times to try to send packet if
                                  send fails  (default=`10')
  -d, --dryrun                  Don't actually send packets
      --shards=N                Set the total number of shards  (default=`1')
      --shard=n                 Set which shard this scan is (0 indexed)
                                  (default=`0')

Network options:
  -s, --source-port=port|range  Source port(s) for scan packets
  -S, --source-ip=ip|range      Source address(es) for scan packets
  -G, --gateway-mac=addr        Specify gateway MAC address
      --source-mac=addr         Source MAC address
  -i, --interface=name          Specify network interface to use
  -X, --vpn                     Sends IP packets instead of Ethernet (for VPNs)

Probe Modules:
  -M, --probe-module=name       Select probe module  (default=`tcp_synscan')
      --probe-args=args         Arguments to pass to probe module
      --list-probe-modules      List available probe modules

Data Output:
  -f, --output-fields=fields    Fields that should be output in result set
  -O, --output-module=name      Select output module  (default=`default')
      --output-args=args        Arguments to pass to output module
      --output-filter=filter    Specify a filter over the response fields to
                                  limit what responses get sent to the output
                                  module
      --list-output-modules     List available output modules
      --list-output-fields      List all fields that can be output by selected
                                  probe module

Logging and Metadata:
  -v, --verbosity=n             Level of log detail (0-5)  (default=`3')
  -l, --log-file=name           Write log entries to file
  -L, --log-directory=directory Write log entries to a timestamped file in this
                                  directory
  -m, --metadata-file=name      Output file for scan metadata (JSON)
  -u, --status-updates-file=name
                                Write scan progress updates to CSV file
  -q, --quiet                   Do not print status updates
      --disable-syslog          Disables logging messages to syslog
      --notes=notes             Inject user-specified notes into scan metadata
      --user-metadata=json      Inject user-specified JSON metadata into scan
                                  metadata

Additional options:
  -C, --config=filename         Read a configuration file, which can specify
                                  any of these options
                                  (default=`/etc/zmap/zmap.conf')
      --max-sendto-failures=n   Maximum NIC sendto failures before scan is
                                  aborted  (default=`-1')
      --min-hitrate=n           Minimum hitrate that scan can hit before scan
                                  is aborted  (default=`0.0')
  -T, --sender-threads=n        Threads used to send packets  (default=`1')
      --cores=STRING            Comma-separated list of cores to pin to
      --ignore-invalid-hosts    Ignore invalid hosts in whitelist/blacklist
                                  file
  -h, --help                    Print help and exit
  -V, --version                 Print version and exit

Examples:
    zmap -p 80 (scan the Internet for hosts on tcp/80 and output to stdout)
    zmap -N 5 -B 10M -p 80 (find 5 HTTP servers, scanning at 10 Mb/s)
    zmap -p 80 10.0.0.0/8 192.168.0.0/16 -o (scan both subnets on tcp/80)
    zmap -p 80 1.2.3.4 10.0.0.3 (scan 1.2.3.4, 10.0.0.3 on tcp/80)

In the network options, note that you can specify the source port (-s), source IP (-S), the gateway (-G), the interface (-i) and the vpn (-X).

Run a Zmap scan

The basic syntax to running Zmap is simply;

1
zmap -p <port> <IP address> -o <outfile>

So, to scan 255 IP addresses on a class B network, we can enter;

1
kali > sudo zmap -p 80 129.227.0.0/24 -o IPresults.csv

Where:

  • -p 80 = scan for port 80 open

  • 172.217.0.0/24 = scan these 255 IP addresses

  • -o IPresults.csv = send the results to a csv file named IPresults.csv

When we hit enter, Zmap begins to scan this IP address space and displaying its results onscreen (stdout).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(bhaskar㉿anon)-[~]
└─$ sudo zmap -p 80 129.227.0.0/24 -o IPresults.csv                                                                              1 ⨯
Mar 25 12:59:11.752 [WARN] blacklist: ZMap is currently using the default blacklist located at /etc/zmap/blacklist.conf. By default, this blacklist excludes locally scoped networks (e.g. 10.0.0.0/8, 127.0.0.1/8, and 192.168.0.0/16). If you are trying to scan local networks, you can change the default blacklist by editing the default ZMap configuration at /etc/zmap/zmap.conf.
Mar 25 12:59:11.757 [INFO] zmap: output module: csv
 0:00 0%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:01 13%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:02 25%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:03 38%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:04 50%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:05 63% (3s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:06 75% (2s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:07 88% (1s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:08 101% (0s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
Mar 25 12:59:20.855 [INFO] zmap: completed

As you can see, Zmap completed its work in a matter of seconds whereby nmap would likely have taken hours.

Scan Your LAN

Next, let’s try using Zmap to scan our local area network. We can use the same command and options as above, but instead let’s use a local, private IP address.

1
sudo zmap -p 192.168.0.0 -o LANresults.csv

If it shows an error it was due to the blacklisting the LAN for security reasons, so try this..

1
2
3
┌──(bhaskar㉿anon)-[~]
└─$ sudo nano /etc/zmap/blacklist.conf

You can comment out the Local area Networks and then save it.

Blacklist Blacklist Configuration File

Then you can scan the entire local area network in seconds !!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(bhaskar㉿anon)-[~]
└─$ sudo zmap -p 80 192.168.0.0 -o Local.txt
Mar 25 13:04:49.979 [WARN] blacklist: ZMap is currently using the default blacklist located at /etc/zmap/blacklist.conf. By default, this blacklist excludes locally scoped networks (e.g. 10.0.0.0/8, 127.0.0.1/8, and 192.168.0.0/16). If you are trying to scan local networks, you can change the default blacklist by editing the default ZMap configuration at /etc/zmap/zmap.conf.
Mar 25 13:04:49.984 [WARN] zmap: too few targets relative to senders, dropping to one sender
Mar 25 13:04:49.985 [INFO] zmap: output module: csv
 0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:00 0%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:01 13%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:02 25%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:03 38%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:04 50%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:05 63% (3s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:06 75% (2s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:07 88% (1s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
 0:08 101% (0s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
Mar 25 13:04:59.059 [INFO] zmap: completed

Be careful when using Zmap on your local area network. It can easily overwhelm your network and cause a Denial of Service (DoS) condition. It is advisable to limit the bandwidth Zmap uses to 10 thousand packets per second to avoid saturating the network bandwidth. To do this, simply enter the bandwidth limiting option -B followed by 10M, such as;

1
sudo zmap  -B 10M -p 192.168.0.0/16 -o LANresults.csv
This post is licensed under CC BY 4.0 by the author.