ZMap – The Fast Internet Scanner

Last Release: 09/11/2015     Last Commit: 05/12/2019

ZMap – The Fast Internet Scanner

Introduction

Whether you are pentester or you just like scanning networks, you are probably already know all about ZMap: The Fast Internet Scanner. But for those who don’t, let’s take a look at some details.

ZMap – The Fast Internet Scanner

ZMap is a fast internet scanner (open-source) designed for Internet-wide network surveys and it can perform comprehensive scans of the IPv4 address space or large portions of it in no time. It can achieve incredible results. ZMap is capable of scanning the entire Internet in around 45 minutes on a gigabit network connection, but with a 10gigE connection and PF_RING it can scan the IPv4 address space in 5 minutes.

Unlike previous network tools, the fast internet scanner is specifically architected to scan the entire address space. ZMap operates on GNU/Linux, macOS, BSD and supports TCP SYN and ICMP echo request.

ZMap Installation

Commands for installation through the built-in package managers on the following operating systems:

  • sudo yum install zmap – Fedora 19+ or EPEL 6+
  • sudo apt install zmap  – Debian 8+ or Ubuntu 14.04+
  • sudo emerge zmap – Gentoo
  • brew install zmap – macOS (using Homebrew)
  • sudo pacman -S zmap – Arch Linux

It has a lot of dependencies, such as: CMake, GMP, libdnet, Gengetopt, etc. To install required dependencies, write following commands:

  • RHEL- and Fedora-based systems (including CentOS):
sudo yum install cmake gmp-devel gengetopt libpcap-devel flex byacc json-c-devel libunistring-devel
  • Debian-based systems (including Ubuntu):
sudo apt-get install build-essential cmake libgmp3-dev gengetopt libpcap-dev flex byacc libjson-c-dev pkg-config libunistring-dev
  • macOS systems (using Homebrew):
brew install pkg-config cmake gmp gengetopt json-c byacc libdnet libunistring

To compile ZMap, run:

cmake .
make -j4

and then install: sudo make install .

Note: Redis support is not enabled by default. If you want to use ZMap with Redis, you will first need to install hiredis (RedisDB support in C). Then run cmake with:

-DWITH_REDIS = ON.

  • libhiredis-dev – Debian/Ubuntu;
  • hiredis-devel – Fedora/RHEL/CentOS

ZMap Options

The terminal screenshot shows some basic and scan options. We’ll list network and advanced options bellow (there are also output options, additional options, udp probe module options, output filters, etc.).

Fast Internet Scanner

By default, ZMap attempts to scan at the line speed of your Ethernet interface and can easily use 1 Gbit/second of bandwidth. Use the -B (--bandwidth) option to set maximum bandwidth (you need to limit your network and upstream connection).

Network Options

-s, --source-port=port|range
    Source port(s) for scan packets

-S, --source-ip=ip|range
    Source address(es) for scan packets

-G, --gateway-mac=addr
    Specify gateway MAC address. All packets will be sent to this Ethernet address.

-i, --interface=name
    Specify network interface to use.

-X, --vpn
    If using ZMap through a VPN, use this  option.  Instead  of  sending  raw  Ethernet
    frames,  ZMap  will  send  IP packets. When using this option, it is generally also
    necessary to provide the interface (through the -i flag).

Probe Options

-M, --probe-module=name
     Select probe module  (default=tcp_synscan)

-O, --output-module=name
    Select output module  (default=simple_file)

-f, --output-fields=fields
    Fields that should be output in result set; see --list-output-fields

    --probe-args=args
    Arguments to pass to probe module

    --output-args=args
    Arguments to pass to output module

    --list-output-modules
    List available output modules

    --list-probe-modules
    List available probe modules

    --list-output-fields
    List all fields that can be output  (using  --output-fields  )  by  selected  probe module

ZMap Examples

By default, ZMap will perform a TCP SYN scan on the specified port at the maximum rate possible. With conservative configuration ZMap is capable to scan 10,000 random addresses on port 80 (max 10Mbps) with a following command:

$ zmap --bandwidth=10M --target-port=80 --max-targets=10000 --output-file=results.csv

or:

$ zmap -B 10M -p 80 -n 10000 -o results.csv

If the scan is running successfully, you’ll see real-time status updates (information about the current state of the scan). It should look something like this:

0% (1h51m left); send: 28777 562 Kp/s (560 Kp/s avg); recv: 1192 248 p/s (231 p/s avg); hits: 0.04%
0% (1h51m left); send: 34320 554 Kp/s (559 Kp/s avg); recv: 1442 249 p/s (234 p/s avg); hits: 0.04%
0% (1h50m left); send: 39676 535 Kp/s (555 Kp/s avg); recv: 1663 220 p/s (232 p/s avg); hits: 0.04%
0% (1h50m left); send: 45372 570 Kp/s (557 Kp/s avg); recv: 1890 226 p/s (232 p/s avg); hits: 0.04%

It is recommended to use blacklist file, if you want to exclude both reserved/unallocated IP space. ZMap will utilize a simple blacklist file by default, located at /etc/zmap/blacklist.conf.

Also, If you want to specify certain settings (maximum bandwidth, blacklist file, etc.) everytime you run ZMap, you can use a custom configuration file or to specify settings in main conf file of ZMap – /etc/zmap/zmap.conf.