Scan the entire web in 45 minutes with Zmap!

Most of you know the power of nmap and nmap scripts to identify a target and networks in general. These tools can be used for numerous tasks, from simple port scanning to service and version detection. Despite nmap's power and simplicity, it can be tediously slow for scanning very large networks. This is where the innovative Zmap scanner comes into its own.

Zmap was developed in 2013 by a team of researchers at the University of Michigan (David Adrian, Zakir Durumeric, Gulshan Singh and J. Alex Halderman). It was designed to be able to scan the entire Internet for information security purposes, rather than scanning a single IP or a range of IPs. With a 1 Gigabit connection, one can scan the entire Internet for a single port in about 45 minutes! The same scan would take months using nmap.

This kind of speed opens up all new possibilities for scanning that we couldn't even imagine before. For example, one of the Zmap developers was able to estimate power outages during Superstorm Sandy by scanning all the IP addresses in the storm area and then inferring from that information which area had power and which did not. In addition, this tool can be used to determine when and how many systems are adopting new technologies around the world. The possibilities of using Zmap to estimate the surface of an internet attack seem limitless!

In essence, Zmap can provide us with an almost real-time picture of an Internet attack. That's exactly what a service like CenSys tries to do by using Zmap to collect the data.

zmap12

Zmap achieves its speed by using cyclic multiplicative groups. This allows ZMap to scan the same things about 1.300 times faster than Nmap (nmap sends probes and waits for the response before sending the next probe).

ZMap takes each number from 1 to 2 to a power of 32 (the IPv4 address space is 32 bits) and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in random order.

mapping

This speed can also be used for exploitation purposes. For example, when someone is connected to a local network it is relatively simple to use all available bandwidth and create an effective denial of service (DoS) situation. Additionally, hackers are able to search the entire Internet for a specific vulnerability faster than administrators can patch their systems.

Step #1: Open Kali and download Zmap

The first step is to enable Kali and open a terminal.

zmap1

Now, we need to download and install Zmap. Zmap is in the Kali repository, so all you need to do is type:

kali > sudo apt install mapping

zmap2

Step #2: We give the Zmap help command

Before we start using Zmap, let's first take a look at the help.

kali > sudo mapping -h

zmap3

Note here the basic options. You can set the port with -p and the output file with -o. Additionally, you specify the rate and bandwidth with the -r and -B options, respectively.

zmap4

In network options, note that you can specify source port (-s), source IP (-S), gateway (-G), interface (-i) and vpn (-X).

zmap5

It is also important to note that Zmap uses TCP SYN scanning by default and outputs the results in ASCII format to stdout or to an output file specified with the -o option in .csv format.

Step #3: Run a scan with Zmap

The basic syntax for running Zmap is simple,

mapping -p <IP address> -o

So, to scan 255 IP addresses on a Class B network, we issue the following command:

kali > sudo mapping -p 80 172.217.0.0/24 -o IResults.csv

Where:

-p 80 = scan on open port 80

172.217.0.0/24 = scans the 255 IP addresses

-o IResults.csv = send the results to a csv file named IPresults.csv

When we press enter, Zmap starts scanning the IP addresses and displays its results on the screen (stdout).

zmap6

As you can see, Zmap completed the process in a few seconds, while nmap would probably take hours. To see its output, we can type:

kali > moins IResults.csv

zmap7

To see the total number of IP addresses on open port 80 in this IP address range, type:

kali > wc -l IResults.csv

zmap8

As you can see, Zmap found that 162 IP addresses out of a total of 255 had port 80 open.

Step #4: Scan your local network

Next, let's try using Zmap to scan our local network. We can use the same command and options as above, but let's use a local IP address.

kali > sudo mapping -p 80 10.0.2.15 -o LANresults.csv

zmap9

As you can see above, Zmap refuses to scan our local network because - by default - Zmap blacklists all private IP addresses.

We can fix this by simply opening the file blacklist.conf in any text editor and commenting out the IP addresses we want to scan. Zmap's blacklist is on file /etc/zmap/blacklist.conf.

kali > sudo mousepad /etc/zmap/blacklist.conf

zmap10

Now, let's try scanning our local network again.

kali > sudo mapping -p 10.0.0.0/16 -o LANresults.csv

zmap11

Be careful when using Zmap on your local network. It can easily overload your network and cause a denial of service (DoS) situation. It is recommended to limit the bandwidth used by Zmap to 10k packets per second to avoid saturating the network bandwidth. To do this, simply enter the bandwidth-limit option -B followed by 10M, such as:

kali > sudo mapping -B 10M -p 80 10.0.0.0/16 -o LANresults.csv

Summary

Zmap is a great tool for gathering information about the attack spectrum of the entire Internet or a very large network. While it's useful for quickly scanning large networks where nmap scans would be time-consuming and tedious, its real beauty is its ability to collect information from EVERY IP address spanning the globe. Both cybercriminals and security researchers can gather amazing insights into the global attack surface with this tool.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.097 registrants.
zmap, maps

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).