ZMap (software)
ZMap is a free and open-source security scanner that was developed as a faster alternative to Nmap. ZMap was designed for information security research and can be used for both white hat and black hat purposes. The tool is able to discover vulnerabilities and their impact, and detect affected IoT devices.
Original author(s) | University of Michigan[1] |
---|---|
Developer(s) | The ZMap Team[1] |
Initial release | August 16, 2013[2] |
Stable release | 2.1.1
/ September 11, 2015[2] |
Repository | github |
Written in | C[2] |
Operating system | Cross-platform |
Available in | English |
Type | computer security, network management |
License | Apache License 2.0[2] |
Website | zmap |
Using one gigabit per second of network bandwidth, ZMap can scan the entire IPv4 address space in 44 minutes on a single port.[3] With a ten gigabit connection, ZMap scan can complete a scan in under five minutes.[4]
Operation
ZMap iterates on techniques utilized by its predecessor, Nmap, by altering the scanning method in a few key areas. Nmap sends out individual signals to each IP address and waits for a reply. As replies return, Nmap compiles them into a database to keep track of responses, a process that slows down the scanning process. In contrast, ZMap uses cyclic multiplicative groups, which allows ZMap to scan the same space roughly 1,300 times faster than Nmap.[6] The ZMap software takes every number from 1 to 232-1 and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order.[3] Building the initial list of numbers for every IP address takes upfront time, but it is a fraction of what is required to aggregate a list of every sent and received probe. This process ensures that once ZMap starts sending probes out to different IPs, an accidental denial of service could not occur because an abundance of transmissions would not converge on one subnet at the same time.[7]
ZMap also speeds up the scanning process by sending a probe to every IP address only once by default, whereas Nmap resends a probe when it detects a connection delay or fails to get a reply.[8] This results in about 2% of IP addresses being missed during a typical scan, but when processing billions of IP address, or potential IoT devices being targeted by cyberattackers, 2% is an acceptable tolerance.[5]
Usage
ZMap can be used for both vulnerability detection and exploitation.[9][6]
The application has been used for port 443 scans to estimate power outages during Hurricane Sandy in 2013.[5] One of the developers of ZMap, Zakir Durumeric, used his software to determine a computer's online state, vulnerabilities, operating system, and services.[10][11] ZMap has also been used to detect vulnerabilities in universal plug and play devices and search for weak public keys in HTTPS website logs.[12]
See also
References
- "About the Project". The ZMap Project. Retrieved 10 Aug 2018.
- "GitHub - zmap/zmap". GitHub. 2 Jul 2018. Retrieved 10 Aug 2018.
- Ducklin, Paul (20 Aug 2013). "Welcome to Zmap, the "one hour turnaround" internet scanner". Sophos. Retrieved 10 Aug 2018.
- Adrian, David (2014). "Zippier ZMap: Internet-Wide Scanning at 10 Gbps" (PDF). USENIX Workshop on Offensive Technologies.
- Durumeric, Zakir; Wustrow, Eric; Halderman, J. Alex (Aug 2013). "ZMap: Fast Internet-Wide Scanning and its Security Applications" (PDF). Retrieved 9 Aug 2018.
- De Santis, Giulia (2018). Modeling and Recognizing Network Scanning Activities with Finite Mixture Models and Hidden Markov Models (PDF). Université de Lorraine.
- Berko, Lex (19 Aug 2013). "Now You Can Scan the Entire Internet in Under an Hour". Motherboard. Retrieved 10 Aug 2018.
- De Santis, Giulia; Lahmadi, Abdelkader; Francois, Jerome; Festor, Olivier (2016). "Modeling of IP Scanning Activities with Hidden Markov Models: Darknet Case Study". 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). pp. 1–5. doi:10.1109/NTMS.2016.7792461. ISBN 978-1-5090-2914-3. S2CID 12786563.
- Durumeric, Zakir; Adrian, David; Mirian, Ariana; Bailey, Michael; Halderman, J. Alex (2015). "A Search Engine Backed by Internet-Wide Scanning". Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15 (PDF). pp. 542–553. doi:10.1145/2810103.2813703. ISBN 9781450338325. S2CID 9808635.
- Lee, Seungwoon; Im, Sun-Young; Shin, Seung-Hun; Roh, Byeong-hee; Lee, Cheolho (2016). "Implementation and vulnerability test of stealth port scanning attacks using ZMap of censys engine". 2016 International Conference on Information and Communication Technology Convergence (ICTC). pp. 681–683. doi:10.1109/ICTC.2016.7763561. ISBN 978-1-5090-1325-8. S2CID 13876287.
- De Santis, Giulia; Lahmadi, Abdelkader; François, Jérôme; Festor, Olivier. "Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models". 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE: 1–5.
- Arzhakov, Anton V; Babalova, Irina F (2017). "Analysis of current internet wide scan effectiveness". 2017 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EICon Rus). pp. 96–99. doi:10.1109/EIConRus.2017.7910503. ISBN 978-1-5090-4865-6. S2CID 44797603.