Zmap - The Internet Scanner
Zmap can scan Entire Internet in
45 Minuteswith1 GbpsInternet connection
Development
Zmap was developed in 2013 by a team of researchers at the University of Michigan (David Adrian, Zakir Durumeric, Gulshan Singh, and J. Alex Halderman). It was designed to be able to scan the entire Internet for information security purposes, rather than scanning a single IP or range of IP’s. With a 1 Gigabit connection, one can scan the entire Internet for single port in about 45 minutes! This same scan would take months using nmap.
Speed
This type of speed opens up all new possibilities for scanning that we couldn’t even imagine before. For instance, one of the developers of Zmap was able to estimate power outage during superstorm Sandy by scanning all the IP addresses in the area of the storm and then extrapolating from that information what area had power and which did not. In addition, this tool can be used to determine when and how many systems adopt new technologies around the world. The possibilities of using Zmap seem limitless for estimating the attack surface of the global internet!
Some More
In essence, Zmap can provide us almost a real-time picture of the Internet attack surface. This is precisely what a service such as CenSys attempts to do using Zmap to collect the data.
Zmap achieves its speed by using cyclic multiplicative groups. This enables ZMap to scan the same space roughly 1,300 times faster than Nmap (nmap sends out probes and waits for the response before sending the subsequent probe). The ZMap software takes every number from 1 to 2 to power of 32 (the IPv4 address space is 32 bits) and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order.
ZMap Scanning Model
Installing
Zmap is present in the Kali repository so you can install from there
1
sudo apt install zmap
Zmap Help
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
┌──(bhaskar㉿anon)-[~]
└─$ zmap -h -o ~/Desktop/zmap.txt
Usage: zmap [OPTION]... [SUBNETS]...
A fast Internet-wide scanner.
Basic arguments:
-p, --target-port=port port number to scan (for TCP and UDP scans)
-o, --output-file=name Output file
-b, --blacklist-file=path File of subnets to exclude, in CIDR notation,
e.g. 192.168.0.0/16
-w, --whitelist-file=path File of subnets to constrain scan to, in CIDR
notation, e.g. 192.168.0.0/16
Scan options:
-r, --rate=pps Set send rate in packets/sec
-B, --bandwidth=bps Set send rate in bits/second (supports suffixes
G, M and K)
-n, --max-targets=n Cap number of targets to probe (as a number or
a percentage of the address space)
-t, --max-runtime=ses Cap length of time for sending packets
-N, --max-results=n Cap number of results to return
-P, --probes=n Number of probes to send to each IP
(default=`1')
-c, --cooldown-time=secs How long to continue receiving after sending
last probe (default=`8')
-e, --seed=n Seed used to select address permutation
--retries=n Max number of times to try to send packet if
send fails (default=`10')
-d, --dryrun Don't actually send packets
--shards=N Set the total number of shards (default=`1')
--shard=n Set which shard this scan is (0 indexed)
(default=`0')
Network options:
-s, --source-port=port|range Source port(s) for scan packets
-S, --source-ip=ip|range Source address(es) for scan packets
-G, --gateway-mac=addr Specify gateway MAC address
--source-mac=addr Source MAC address
-i, --interface=name Specify network interface to use
-X, --vpn Sends IP packets instead of Ethernet (for VPNs)
Probe Modules:
-M, --probe-module=name Select probe module (default=`tcp_synscan')
--probe-args=args Arguments to pass to probe module
--list-probe-modules List available probe modules
Data Output:
-f, --output-fields=fields Fields that should be output in result set
-O, --output-module=name Select output module (default=`default')
--output-args=args Arguments to pass to output module
--output-filter=filter Specify a filter over the response fields to
limit what responses get sent to the output
module
--list-output-modules List available output modules
--list-output-fields List all fields that can be output by selected
probe module
Logging and Metadata:
-v, --verbosity=n Level of log detail (0-5) (default=`3')
-l, --log-file=name Write log entries to file
-L, --log-directory=directory Write log entries to a timestamped file in this
directory
-m, --metadata-file=name Output file for scan metadata (JSON)
-u, --status-updates-file=name
Write scan progress updates to CSV file
-q, --quiet Do not print status updates
--disable-syslog Disables logging messages to syslog
--notes=notes Inject user-specified notes into scan metadata
--user-metadata=json Inject user-specified JSON metadata into scan
metadata
Additional options:
-C, --config=filename Read a configuration file, which can specify
any of these options
(default=`/etc/zmap/zmap.conf')
--max-sendto-failures=n Maximum NIC sendto failures before scan is
aborted (default=`-1')
--min-hitrate=n Minimum hitrate that scan can hit before scan
is aborted (default=`0.0')
-T, --sender-threads=n Threads used to send packets (default=`1')
--cores=STRING Comma-separated list of cores to pin to
--ignore-invalid-hosts Ignore invalid hosts in whitelist/blacklist
file
-h, --help Print help and exit
-V, --version Print version and exit
Examples:
zmap -p 80 (scan the Internet for hosts on tcp/80 and output to stdout)
zmap -N 5 -B 10M -p 80 (find 5 HTTP servers, scanning at 10 Mb/s)
zmap -p 80 10.0.0.0/8 192.168.0.0/16 -o (scan both subnets on tcp/80)
zmap -p 80 1.2.3.4 10.0.0.3 (scan 1.2.3.4, 10.0.0.3 on tcp/80)
In the network options, note that you can specify the source port (-s), source IP (-S), the gateway (-G), the interface (-i) and the vpn (-X).
Run a Zmap scan
The basic syntax to running Zmap is simply;
1
zmap -p <port> <IP address> -o <outfile>
So, to scan 255 IP addresses on a class B network, we can enter;
1
kali > sudo zmap -p 80 129.227.0.0/24 -o IPresults.csv
Where:
-p 80 = scan for port 80 open172.217.0.0/24 = scan these 255 IP addresses-o IPresults.csv = send the results to a csv file named IPresults.csv
When we hit enter, Zmap begins to scan this IP address space and displaying its results onscreen (stdout).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(bhaskar㉿anon)-[~]
└─$ sudo zmap -p 80 129.227.0.0/24 -o IPresults.csv 1 ⨯
Mar 25 12:59:11.752 [WARN] blacklist: ZMap is currently using the default blacklist located at /etc/zmap/blacklist.conf. By default, this blacklist excludes locally scoped networks (e.g. 10.0.0.0/8, 127.0.0.1/8, and 192.168.0.0/16). If you are trying to scan local networks, you can change the default blacklist by editing the default ZMap configuration at /etc/zmap/zmap.conf.
Mar 25 12:59:11.757 [INFO] zmap: output module: csv
0:00 0%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:01 13%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:02 25%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:03 38%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:04 50%; send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:05 63% (3s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:06 75% (2s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:07 88% (1s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:08 101% (0s left); send: 256 done (7.33 Kp/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
Mar 25 12:59:20.855 [INFO] zmap: completed
As you can see, Zmap completed its work in a matter of seconds whereby nmap would likely have taken hours.
Scan Your LAN
Next, let’s try using Zmap to scan our local area network. We can use the same command and options as above, but instead let’s use a local, private IP address.
1
sudo zmap -p 192.168.0.0 -o LANresults.csv
If it shows an error it was due to the blacklisting the LAN for security reasons, so try this..
1
2
3
┌──(bhaskar㉿anon)-[~]
└─$ sudo nano /etc/zmap/blacklist.conf
You can comment out the Local area Networks and then save it.
Blacklist Configuration File
Then you can scan the entire local area network in seconds !!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(bhaskar㉿anon)-[~]
└─$ sudo zmap -p 80 192.168.0.0 -o Local.txt
Mar 25 13:04:49.979 [WARN] blacklist: ZMap is currently using the default blacklist located at /etc/zmap/blacklist.conf. By default, this blacklist excludes locally scoped networks (e.g. 10.0.0.0/8, 127.0.0.1/8, and 192.168.0.0/16). If you are trying to scan local networks, you can change the default blacklist by editing the default ZMap configuration at /etc/zmap/zmap.conf.
Mar 25 13:04:49.984 [WARN] zmap: too few targets relative to senders, dropping to one sender
Mar 25 13:04:49.985 [INFO] zmap: output module: csv
0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:00 0%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:01 13%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:02 25%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:03 38%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:04 50%; send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:05 63% (3s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:06 75% (2s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:07 88% (1s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
0:08 101% (0s left); send: 1 done (43 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00%
Mar 25 13:04:59.059 [INFO] zmap: completed
Be careful when using Zmap on your local area network. It can easily overwhelm your network and cause a Denial of Service (DoS) condition. It is advisable to limit the bandwidth Zmap uses to 10 thousand packets per second to avoid saturating the network bandwidth. To do this, simply enter the bandwidth limiting option
-Bfollowed by10M, such as;
1
sudo zmap -B 10M -p 192.168.0.0/16 -o LANresults.csv