Skip to content

Home

Jump to bottom Edit New page
Zakir Durumeric edited this page Apr 5, 2024 · 23 revisions

ZMap is a network scanner designed to perform comprehensive scans of the IPv4 address space or large portions of it.

If you're new to ZMap or want a follow-along guide, check out the Getting Started Guide.

By default, ZMap will perform a TCP SYN scan on the specified port at the maximum rate possible. A more conservative configuration that will scan 10,000 random addresses on port 80 at a maximum 10 Mbps can be run as follows:

$ zmap --bandwidth=10M --target-ports=80 --max-targets=10000 --output-file=results.csv

Or more concisely:

$ zmap -B 10M -p 80 -n 10000 -o results.csv

By default, ZMap will scan 0.0.0.0/0, all IPv4 addresses. However, ZMap can also scan specific subnets or CIDR blocks. For example, to scan only 10.0.0.0/8 and 192.168.0.0/16 on TCP/80, you would run:

$ zmap -p 80 10.0.0.0/8 192.168.0.0/16

In addition, ZMap can be used to scan multiple ports or ranges of ports. For example,

$ zmap -p 80,443,445-447,500-502

If the scan started successfully, ZMap will output real-time status updates:

0% (1h51m left); send: 28777 562 Kp/s (560 Kp/s avg); recv: 1192 248 p/s (231 p/s avg); hits: 0.04%
0% (1h51m left); send: 34320 554 Kp/s (559 Kp/s avg); recv: 1442 249 p/s (234 p/s avg); hits: 0.04%
0% (1h50m left); send: 39676 535 Kp/s (555 Kp/s avg); recv: 1663 220 p/s (232 p/s avg); hits: 0.04%
0% (1h50m left); send: 45372 570 Kp/s (557 Kp/s avg); recv: 1890 226 p/s (232 p/s avg); hits: 0.04%

These updates provide information about the current state of the scan and are of the following form:

%-complete (est time remaining); packets-sent curr-send-rate (avg-send-rate); recv: packets-recv recv-rate (avg-recv-rate); hits: hit-rate

⚠️ Warning! If you do not know the scan rate that your network can support, you should experiment with different scan rates or bandwidth limits to find the fastest rate that your network can support before you see decreased results.

By default, ZMap will output the list of distinct IP addresses that responded successfully (e.g. with a SYN ACK packet) similar to the following. There are several additional formats (e.g., CSV and JSON) for outputting results. Additional output fields can be specified and the results can be filtered using an output filter. [more information]

115.237.116.119
23.9.117.80
207.118.204.141
217.120.143.111
50.195.22.82

We strongly encourage you to use a blacklist file, to exclude both reserved/unallocated IP space (e.g. multicast, RFC 1918), as well as networks that request to be excluded from your scans. By default, ZMap will utilize a simple blacklist file containing reserved and unallocated addresses located at /etc/zmap/blocklist.conf. [more information]

If you find yourself specifying certain settings, such as your maximum bandwidth or blacklist file every time you run ZMap, you can specify these in /etc/zmap/zmap.conf or use a custom configuration file.

If you are attempting to troubleshoot scan related issues, there are several options to help debug. First, it is possible can perform a dry run scan in order to see the packets that would be sent over the network by adding the --dryrun flag. As well, it is possible to change the logging verbosity by setting the --verbosity=n flag.

Add a custom footer
  1. Home
  2. Getting Started Guide
  3. Scanning Best Practices
  4. Installing ZMap
  5. Global Options
    1. Rate Limiting and Sampling
    2. Block and Allow Lists
    3. Results Output
    4. Verbosity and Metadata
    5. Sending Multiple Probes
  6. Probe Modules
    1. TCP SYN Probe Module
    2. ICMP Echo Probe Module
    3. UDP Probe Module
  7. Extending ZMap
    1. Sample Applications
    2. Writing Modules
  8. FAQ
Clone this wiki locally