Whether you are pentester or you just like scanning networks, you are probably already know all about ZMap: The Fast Internet Scanner. But for those who don’t, let’s take a look at some details.
ZMap – The Fast Internet Scanner
ZMap is a fast internet scanner (open-source) designed for Internet-wide network surveys and it can perform comprehensive scans of the IPv4 address space or large portions of it in no time. It can achieve incredible results. ZMap is capable of scanning the entire Internet in around 45 minutes on a gigabit network connection, but with a 10gigE connection and PF_RING it can scan the IPv4 address space in 5 minutes.
Unlike previous network tools, the fast internet scanner is specifically architected to scan the entire address space. ZMap operates on GNU/Linux, macOS, BSD and supports TCP SYN and ICMP echo request.
Commands for installation through the built-in package managers on the following operating systems:
sudo yum install zmap– Fedora 19+ or EPEL 6+
sudo apt install zmap– Debian 8+ or Ubuntu 14.04+
sudo emerge zmap– Gentoo
brew install zmap– macOS (using Homebrew)
sudo pacman -S zmap– Arch Linux
- RHEL- and Fedora-based systems (including CentOS):
sudo yum install cmake gmp-devel gengetopt libpcap-devel flex byacc json-c-devel libunistring-devel
- Debian-based systems (including Ubuntu):
sudo apt-get install build-essential cmake libgmp3-dev gengetopt libpcap-dev flex byacc libjson-c-dev pkg-config libunistring-dev
- macOS systems (using Homebrew):
brew install pkg-config cmake gmp gengetopt json-c byacc libdnet libunistring
To compile ZMap, run:
cmake . make -j4
and then install:
sudo make install .
Note: Redis support is not enabled by default. If you want to use ZMap with Redis, you will first need to install hiredis (RedisDB support in C). Then run cmake with:
-DWITH_REDIS = ON.
- libhiredis-dev – Debian/Ubuntu;
- hiredis-devel – Fedora/RHEL/CentOS
The terminal screenshot shows some basic and scan options. We’ll list network and advanced options bellow (there are also output options, additional options, udp probe module options, output filters, etc.).
By default, ZMap attempts to scan at the line speed of your Ethernet interface and can easily use 1 Gbit/second of bandwidth. Use the
-B (--bandwidth) option to set maximum bandwidth (you need to limit your network and upstream connection).
-s, --source-port=port|range Source port(s) for scan packets -S, --source-ip=ip|range Source address(es) for scan packets -G, --gateway-mac=addr Specify gateway MAC address. All packets will be sent to this Ethernet address. -i, --interface=name Specify network interface to use. -X, --vpn If using ZMap through a VPN, use this option. Instead of sending raw Ethernet frames, ZMap will send IP packets. When using this option, it is generally also necessary to provide the interface (through the -i flag).
-M, --probe-module=name Select probe module (default=tcp_synscan) -O, --output-module=name Select output module (default=simple_file) -f, --output-fields=fields Fields that should be output in result set; see --list-output-fields --probe-args=args Arguments to pass to probe module --output-args=args Arguments to pass to output module --list-output-modules List available output modules --list-probe-modules List available probe modules --list-output-fields List all fields that can be output (using --output-fields ) by selected probe module
By default, ZMap will perform a TCP SYN scan on the specified port at the maximum rate possible. With conservative configuration ZMap is capable to scan 10,000 random addresses on port 80 (max 10Mbps) with a following command:
$ zmap --bandwidth=10M --target-port=80 --max-targets=10000 --output-file=results.csv
$ zmap -B 10M -p 80 -n 10000 -o results.csv
If the scan is running successfully, you’ll see real-time status updates (information about the current state of the scan). It should look something like this:
0% (1h51m left); send: 28777 562 Kp/s (560 Kp/s avg); recv: 1192 248 p/s (231 p/s avg); hits: 0.04% 0% (1h51m left); send: 34320 554 Kp/s (559 Kp/s avg); recv: 1442 249 p/s (234 p/s avg); hits: 0.04% 0% (1h50m left); send: 39676 535 Kp/s (555 Kp/s avg); recv: 1663 220 p/s (232 p/s avg); hits: 0.04% 0% (1h50m left); send: 45372 570 Kp/s (557 Kp/s avg); recv: 1890 226 p/s (232 p/s avg); hits: 0.04%
It is recommended to use blacklist file, if you want to exclude both reserved/unallocated IP space. ZMap will utilize a simple blacklist file by default, located at
Also, If you want to specify certain settings (maximum bandwidth, blacklist file, etc.) everytime you run ZMap, you can use a custom configuration file or to specify settings in main conf file of ZMap –