ZMap#
Internet-scale port scanner. ZMap sends a stateless single-packet probe per target, processes responses asynchronously, and can sweep the whole IPv4 routable space for a single port in roughly five minutes on a 10 Gbps NIC. Different model from Nmap: ZMap finds who is listening, then a tool like Nmap or ZGrab2 takes that hit-list and asks what is running.
Setup#
Install on Debian-family, confirm the version, and grant the
raw-socket capability so ZMap can craft packets without sudo.
ZMap relies on the kernel’s routing table; --gateway-mac and
--source-ip overrides come up when sending from a host whose
egress is non-trivial.
Command |
Action |
|---|---|
|
install on Debian / Ubuntu |
|
confirm version |
|
grant raw-socket capability for non-root use |
|
print available probe modules |
|
print available output modules |
|
list fields a given probe module can emit |
Single-Port Scans#
The default operation. Pick a port with -p, a target range
with --allowlist-file or positional CIDRs, and either let
ZMap discover egress automatically or pin source IP / gateway
MAC.
Command |
Action |
|---|---|
|
scan a /24 on TCP/443 |
|
scan a /16, write CSV |
|
whole IPv4 routable (use a blocklist!) |
|
UDP scan |
|
read CIDRs from a file |
|
apply the system blocklist |
|
pin the source IP |
|
pin the egress interface |
Output and Fields#
ZMap writes one row per probe response by default. -O csv
gives header rows; -O json is the structured form. The
fields ZMap emits are configurable per probe module; useful ones
include saddr, daddr, sport, dport, classification,
and timestamp_str.
Command |
Action |
|---|---|
|
CSV output module |
|
JSON-lines output |
|
select fields |
|
emit periodic progress to a CSV |
|
dump scan metadata after completion |
|
write the log to disk |
|
quiet mode (suppress per-probe lines) |
|
verbose level (0-5) |
Rate and Sampling#
Internet-scale scans require rate control: -r (packets per
second) or -B (bandwidth). Sampling lets you scan only a
random subset of the address space for surveys.
Command |
Action |
|---|---|
|
cap at 10 K packets / second |
|
cap at 1 Gbps |
|
stop after N targets |
|
stop after N seconds |
|
stop after N positive responses |
|
one of ten shards (parallel hosts) |
|
deterministic address order |
|
send N probes per target |
|
extra seconds to wait for stragglers |
Probe Modules#
ZMap ships with several probe modules besides the default TCP
SYN. icmp_echoscan is the ICMP ping sweep; udp carries an
arbitrary payload (use with care); ntp_initiate, dns, and
upnp are application-specific.
Command |
Action |
|---|---|
|
default TCP SYN scan (named explicitly) |
|
ICMP echo (ping) sweep |
|
UDP probe with payload from file |
|
NTP monlist / version |
|
UPnP discovery |
|
DNS probe with raw hex payload |
|
BACnet (ICS) discovery |
Safety and Blocklists#
ZMap defaults to send-anywhere. For real Internet-wide scans
respect /etc/zmap/blacklist.conf, register a reverse-DNS
record for the source IP that explains the activity, and watch
for abuse complaints. Many ASes block scanners outright.
Command |
Action |
|---|---|
|
read the bundled blocklist (RFC1918, multicast, etc.) |
|
apply a custom blocklist |
|
restrict to listed CIDRs only |
|
print packets without sending |
|
annotate scan metadata for audit |
|
confirm rDNS points at a research / abuse contact |
ZGrab2 Pairing#
The standard ZMap workflow: ZMap finds open ports, ZGrab2 grabs
the application banner / certificate / response. zgrab2
reads ZMap CSV / JSON, queues TLS handshakes, HTTP GETs, SSH
banners, and writes one structured record per host.
Command |
Action |
|---|---|
|
find TLS-open hosts |
|
grab TLS handshake + certificate |
|
grab HTTP response |
|
grab SSH banner + key exchange |
|
chain multiple modules per host |
|
pipe a hit-list directly into zgrab2 |
|
extract a single field from results |
Companion Tools#
The ZMap project ships several helpers that consume scan output.
Command |
Action |
|---|---|
|
tee tool that splits ZMap stdout into a file + a downstream pipe |
|
filter a target list against a blocklist |
|
generate the IP iteration order ZMap would use (no scan) |
|
application-layer banner / handshake grabber (see above) |
|
validate ZGrab2 / Censys TLS observations against the CA / Browser Forum rules |