Yes, you read it right. Scanning the internet is not really a big deal as it sounds. Nmap is one of the best and powerful tool in hackers arsenal. It can scan hosts for open ports and get corresponding service banners. However it isn’t fast enough to scan all the IPv4 address space. With help of more advanced tools like Zmap, Masscan and a decent internet connection we can scan the entire internet (0.0.0.0/0 subnet).

There will be around 4 billion possible IPv4 addresses. Removing internal network and private network we can narrow it down to 3.7 Billion.

What is Zmap and Masscan?

Zmap and Masscan are port scanning tools which works in similar method. These tools perform asynchronous scan by simply firing TCP-SYN packets to every IPv4 hosts in the internet and doesn’t establish a complete connection. An active listner is listening for incoming SYN-ACK packets. Every received packets is validated and logged. This method of scanning is 1300 times faster that traditional nmap scan.

Zmap can utilize full bandwidth of a gigabit network and complete the scan in 45 mins. “While Nmap adapts its transmission rate to avoid saturating the source or target networks, we assume that the source network is well provisioned (unable to be saturated by the source host), and that the targets are randomly ordered and widely dispersed (so no distant network or path is likely to be saturated by the scan). Consequently, we attempt to send probes as quickly as the source’s NIC can support, skipping the TCP/IP stack and generating Ethernet frames directly. We show that ZMap can send probes at gigabit line speed from commodity hardware and entirely in user space,” the researchers say in their paper.

Zmap usage

Zmap is available on Github: https://github.com/zmap/zmap

Installing in kali linux

apt-get install zmap

Port scanning command

zmap -p <port>

Example:

As you can see in the above picture; Zmap is scanning the entire 0.0.0.0/0 subnet to check whether port 443 is open. The output can be saved as file in various format. Use –help option fore more info. Zmap developers also offer plenty of other tools which can be combined with zmap, such as banner grabbing, DNS resolving e.t.c. Available on their official website zmap.io

Zmap + Ztee+ Zgrab

Zgrab can be used to grab banner of a running service.

 zmap -p 443 --output-fields=* | ztee results.csv | zgrab --port 443 --tls --http="/" --output-file=banners.json

Masscan usage

Masscan is more like nmap  with zmap’s performance. The major advantage is you can scan multiple ports simultaneously which is not available in zmap.

Installation

apt-get install masscan

usage

masscan 0.0.0.0/0 --exclude 225.225.225.225 --rate=100000 -p 80,443,21

Example: scaning port 443

With these tools you can find out vulnerable devices all across the globe. With a normal broadband connection running at very slow packet transmission rate you can perform full scan in less than 23 hours.

censys.io is one of the famous IoT search engine that is using zmap in its backend.


Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.