Yes, you read it right. Scanning the internet is not really a big deal as it sounds. Nmap is one of the best and powerful tool in hackers arsenal. It can scan hosts for open ports and get corresponding service banners. However it isn’t fast enough to scan all the IPv4 address space. With help of more advanced tools like Zmap, Masscan and a decent internet connection we can scan the entire internet (0.0.0.0/0 subnet).
There will be around 4 billion possible IPv4 addresses. Removing internal network and private network we can narrow it down to 3.7 Billion.
What is Zmap and Masscan?
Zmap and Masscan are port scanning tools which works in similar method. These tools perform asynchronous scan by simply firing TCP-SYN packets to every IPv4 hosts in the internet and doesn’t establish a complete connection. An active listner is listening for incoming SYN-ACK packets. Every received packets is validated and logged. This method of scanning is 1300 times faster that traditional nmap scan.
Zmap can utilize full bandwidth of a gigabit network and complete the scan in 45 mins. “While Nmap adapts its transmission rate to avoid saturating the source or target networks, we assume that the source network is well provisioned (unable to be saturated by the source host), and that the targets are randomly ordered and widely dispersed (so no distant network or path is likely to be saturated by the scan). Consequently, we attempt to send probes as quickly as the source’s NIC can support, skipping the TCP/IP stack and generating Ethernet frames directly. We show that ZMap can send probes at gigabit line speed from commodity hardware and entirely in user space,” the researchers say in their paper.
Zmap is available on Github: https://github.com/zmap/zmap
Installing in kali linux
apt-get install zmap
Port scanning command
zmap -p <port>
As you can see in the above picture; Zmap is scanning the entire 0.0.0.0/0 subnet to check whether port 443 is open. The output can be saved as file in various format. Use –help option fore more info. Zmap developers also offer plenty of other tools which can be combined with zmap, such as banner grabbing, DNS resolving e.t.c. Available on their official website zmap.io
Zmap + Ztee+ Zgrab
Zgrab can be used to grab banner of a running service.
zmap -p 443 --output-fields=* | ztee results.csv | zgrab --port 443 --tls --http="/" --output-file=banners.json
Masscan is more like nmap with zmap’s performance. The major advantage is you can scan multiple ports simultaneously which is not available in zmap.
apt-get install masscan
masscan 0.0.0.0/0 --exclude 18.104.22.168 --rate=100000 -p 80,443,21
Example: scaning port 443
With these tools you can find out vulnerable devices all across the globe. With a normal broadband connection running at very slow packet transmission rate you can perform full scan in less than 23 hours.
censys.io is one of the famous IoT search engine that is using zmap in its backend.