BestHub
Sign in
Information Security 16 min read

Master ZMap: Fast Network Scanning, Installation, Commands, and Advanced Uses

ZMap is a high‑speed network scanner developed at the University of Michigan, and this guide covers its installation on various Linux distributions, core command‑line options, configuration files, advanced extensions like banner grabbing and UDP probes, and discusses its underlying SYN‑RST scanning mechanism and security considerations.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Master ZMap: Fast Network Scanning, Installation, Commands, and Advanced Uses

Background

ZMap is a tool developed by researchers at the University of Michigan. It gained fame at the 22nd USENIX Security Symposium for scanning at a speed more than 1,300 times faster than nmap, capable of scanning the entire IPv4 address space in 45 minutes on a gigabit NIC.

Installation

64‑bit version (Debian/Ubuntu)

Step1: sudo apt-get install libgmp3-dev libpcap-dev gengetopt
Step2: wget https://github.com/zmap/zmap/archive/v1.0.3.tar.gz
Step3: tar -zxvf v1.0.3.tar.gz
Step4: cd zmap-1.0.3/src
Step5: make && make install

32‑bit version (Debian/Ubuntu)

Step1: sudo apt-get install libgmp3-dev libpcap-dev gengetopt
Step2: git clone git://github.com/zmap/zmap.git
Step3: tar -zxvf v1.0.2.tar.gz
Step4: cd zmap-1.0.2/src
Step5: make && make install

For Fedora, Red Hat Enterprise Linux, or CentOS replace step 2 with: sudo yum install gmp gmp-devel libpcap-devel gengetopt If you want to store results in Redis, install Hiredis first and compile with: make REDIS=true When not running as root, set the required capability:

setcap cap_net_raw=ep /usr/local/sbin/zmap

Usage Introduction

After installation you can invoke ZMap directly.

1. Simplest invocation

zmap -B 10M -p 80 -n 100000 -o results.txt

-B sets bandwidth, -p sets the target port, -n sets the number of targets, and -o specifies the output file. This command scans 100,000 IP addresses on port 80 using 10 Mbps of bandwidth and writes the results to results.txt.

On BackTrack 5 R3 the -G option (gateway MAC) is required:

zmap -B 10M -p 80 -n 100000 -G "01:00:5e:00:00:02" -o results.txt

The output consists of one IP address per line, e.g.:

115.237.116.119
23.9.117.80
207.118.204.141
217.120.143.111

2. Most frequently used command

zmap -p 443 -G "00:00:00:00:00:00"

This scans the entire Internet for hosts with port 443 open (SSL/TLS). The author observed a scan lasting about 9 hours 16 minutes on a 10 Mbit ADSL connection (upstream ~100 kbit/s), which doubled the expected time.

3. Common parameters

-p, --target-port=port          Specify the target port
-o, --output-file=name          Write results to the given file
-b, --blacklist-file=path       Exclude IP ranges (e.g., RFC 1918) – default file is <code>conf/blacklist.conf</code>
-n, --max-targets=n            Scan up to n targets (or a percentage, e.g., 0.1%)
-N, --max-results=n             Stop after n successful results
-t, --max-runtime=secs         Stop after the given number of seconds
-r, --rate=pps                 Packets per second to send
-B, --bandwidth=bps            Bandwidth limit (e.g., 10M for 10 Mbps)
-c, --cooldown-time=secs       Time to wait for responses after sending packets (default 8 s)
-e, --seed=n                   Seed for the pseudo‑random address generator
-T, --sender-threads=n        Number of sending threads (default 1)
-P, --probes=n                 Number of probes per IP (default 1)
-d, --dryrun                   Print packet contents without sending
-s, --source-port=port|range   Source port or range
-S, --source-ip=ip|range       Source IP address or range
-G, --gateway-mac=addr         Set or spoof the gateway MAC address
-M, --probe-module=name        Choose probe module (tcp_synscan, icmp_echoscan, udp, etc.)
-O, --output-module=name       Choose output module (simple_file, extended_file)
--quiet                         Suppress progress output
--summary                       Print a summary after the scan

Three Additional Extensions

Banner Grab

Used for fingerprinting services by capturing responses such as SSH banners or HTTP 401 messages.

Build the tool: make Create a request file (e.g., http-req): echo -e -n "GET / HTTP/1.1\nHost: %s\n\n" > http-req Run ZMap and pipe the results to banner-grab-tcp:

zmap -p 80 -N 1000 -o - | ./banner-grab-tcp -p 80 -c 100 -d http-req > http-banners.out

forge‑socket

Similar to Banner Grab but uses a kernel driver for higher efficiency.

git clone [email protected]:.../forge_socket.git
cd forge_socket
make
sudo insmod forge_socket.ko

Block RST packets with iptables:

iptables -A OUTPUT -p tcp -m tcp --tcp-flags RST,RST RST,RST -j DROP

UDP Data Probes

Added in version 1.03. Example probing Microsoft SQL Server on port 1434:

zmap -M udp -p 1434 --probe-args=file:examples/udp-probes/mssql_1434.pkt

Custom payloads can be created and stored in .pkt files.

Configuration file can simplify command‑line options:

interface "eth1"
source-ip 1.1.1.4-1.1.1.8
gateway-mac b4:23:f9:28:fa:2d
cooldown-time 300
blacklist-file /etc/zmap/blacklist.conf
output-file ~/zmap-output
quiet
summary

Run with the configuration file:

zmap --config=~/.zmap.conf --target-port=443

Principle Analysis

ZMap’s speed stems from bypassing the TCP three‑way handshake. Instead of establishing a full connection, it sends a SYN packet and immediately follows with a RST, discarding any stateful tracking. Returned packets (SYN‑ACK or RST) are matched to the original IP and port using a hash table, enabling asynchronous high‑throughput scanning.

Divergent Extensions and Security Considerations

The author notes that while ZMap is intended for research‑grade Internet scanning, its high packet rate can be misused for DDoS attacks. Examples of massive scanning commands illustrate how to generate large traffic volumes, spoof MAC addresses, and adjust source IP ranges.

-w, --whitelist-file=path
222.222.221.82/24   # limit to a specific subnet
- P 10000000          # send many probes per target
- s 2000-60000        # wide port range
- S 20.20.20.0-200.200.200.200   # random IP range
- G <gateway-mac>     # spoofed MAC (may not receive replies)

Resulting traffic can be used for SYN floods, land attacks, ICMP floods, UDP floods, and other malformed‑packet attacks. The RST packets can be dropped with iptables to increase effectiveness.

Further extensions allow crafting GET or POST requests by modifying the http-req file, or adjusting payload sizes for POST attacks.

Comparison with Scapy

ZMap is written in pure C, offering higher performance than Python‑based Scapy, though both can be used for custom packet generation.

References:

ZMap Documentation

ZMap GitHub

Original article: http://drops.wooyun.org/tools/515

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxSecurityNetwork ScanningZMapTCP SYN scan
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment