Updated: Dec 28, 2022
Welcome back my aspiring cyber warriors!
Most of you are aware of the power of nmap and nmap scripts for reconnaissance on a target and target networks. These tools can be used for numerous tasks such as simple port scanning to service and version detection. Despite the power and simplicity of nmap, it can be tediously slow for scanning very large networks. This is where the breakthrough scanner, Zmap, displays its strengths.
Zmap was developed in 2013 by a team of researchers at the University of Michigan (David Adrian, Zakir Durumeric, Gulshan Singh, and J. Alex Halderman). It was designed to be able to scan the entire Internet for information security purposes, rather than scanning a single IP or range of IP's. With a 1 Gigabit connection, one can scan the entire Internet for single port in about 45 minutes! This same scan would take months using nmap.
This type of speed opens up all new possibilities for scanning that we couldn't even imagine before. For instance, one of the developers of Zmap was able to estimate power outage during superstorm Sandy by scanning all the IP addresses in the area of the storm and then extrapolating from that information what area had power and which did not. In addition, this tool can be used to determine when and how many systems adopt new technologies around the world. The possibilities of using Zmap seem limitless for estimating the attack surface of the global internet!
In essence, Zmap can provide us almost a real-time picture of the Internet attack surface. This is precisely what a service such as CenSys attempts to do using Zmap to collect the data.
Zmap achieves its speed by using cyclic multiplicative groups. This enables ZMap to scan the same space roughly 1,300 times faster than Nmap (nmap sends out probes and waits for the response before sending the subsequent probe). The ZMap software takes every number from 1 to 2 to power of 32 (the IPv4 address space is 32 bits) and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order.
This speed can also be used for exploitation purposes. For instance, when connected to local area network is it relatively simple to use all the bandwidth available and create an effective Denial of Service (DoS) condition. In addition, blackhat hackers are able to search the entire Internet for a particular vulnerability faster than administrators can patch their systems.
Step #1: Fire Up Kali and download Zmap
The first step is fire up Kali and open a terminal.
Now, we need to download and install Zmap. Zmap is in the Kali repository, so you only need to enter;
kali > sudo apt install zmap
Step #2: Zmap Help
Before we get started using this powerful tool, let first take a look at its help file.
kali > sudo zmap -h
Note the basic options here. You can designate the port with -p and the output file with -o. In addition, you determine the rate and bandwidth with the -r and -B options, respectively.
In the network options, note that you can specify the source port (-s), source IP (-S), the gateway (-G), the interface (-i) and the vpn (-X).
In the final stanza of the help screen, note the examples above. It's also important to note that Zmap uses a TCP SYN scan by default and outputs results in ASCII format to stdout or an output file specified with the -o option in .csv format.
Step #3: Run a Zmap scan
The basic syntax to running Zmap is simply;
zmap -p <port> <IP address> -o <outfile>
So, to scan 255 IP addresses on a class B network, we can enter;
kali > sudo zmap -p 80 220.127.116.11/24 -o IPresults.csv
-p 80 = scan for port 80 open
18.104.22.168/24 = scan these 255 IP addresses
-o IPresults.csv = send the results to a csv file named IPresults.csv
When we hit enter, Zmap begins to scan this IP address space and displaying its results onscreen (stdout).
As you can see, Zmap completed its work in a matter of seconds whereby nmap would likely have taken hours. To view its output, we can enter;
kali > less IPresults.csv
To see the total count of IP addresses with port 80 open in that IP address range, enter;
kali > wc -l IPresults.csv
As you can see, Zmap found that 162 IP addresses of the total 255 had port 80 open.
Step #4: Scan Your LAN
Next, let's try using Zmap to scan our local area network. We can use the same command and options as above, but instead let's use a local, private IP address.
kali > sudo zmap -p 80 10.0.2.15 -o LANresults.csv
As you can see above, Zmap refuses to scan our local area network because --by default--Zmap blacklists all private IP addresses.
We can remedy that by simply opening the blacklist.conf file in any text editor and commenting out the IP addresses we want to scan. Zmap's blacklist is at /etc/zmap/blacklist.conf.
kali > sudo mousepad /etc/zmap/blacklist.conf
Comment out (#) the private IP of your network (in my case I commented out line 6). Now, let's try to scan our LAN network again.
kali > sudo zmap -p 10.0.0.0/16 -o LANresults.csv
Be careful when using Zmap on your local area network. It can easily overwhelm your network and cause a Denial of Service (DoS) condition. It is advisable to limit the bandwidth Zmap uses to 10 thousand packets per second to avoid saturating the network bandwidth. To do this, simply enter the bandwidth limiting option -B followed by 10M, such as;
kali > sudo zmap -B 10M -p 80 10.0.0.0/16 -o LANresults.csv
Zmap is an extraordinary tool for gathering information on the attack surface of the entire Internet or a very large network. Although it is useful for fast scanning of large networks where nmap scans would be time-consuming and tedious, it real beauty is its ability to gather information from EVERY IP address covering the globe. Both cyber criminals and security researchers can gather astonishing insights into the global attack surface with this tool.