ZMap is designed to execute widespread scans of the IPv4 address space or large portions of it. It is a very powerful tool for cyber security services researchers, and you can scan the entire IPv4 address space by using its high rate of 1.4 million packets per second.
ZMap can’t replace general-purpose mappers like Nmap, which is excellent for scanning sub-networks in depth. ZMap is intended to do a shallow scan – typically of a single port or service – of the entire internet, or at least the IPv4 internet, from a single, dedicated computer, in under an hour. Ame Wilson, cyber security audit services consultant mentions that ZMap is proficient of scanning the IPv4 public address space over 1300 times faster than the Nmap.
ZMap is able to work so fast because it uses cyclic multiplicative groups. ZMap has been designed to achieve parallelism and performance. First, ZMap is completely stateless, which means that it does not maintain status per connection. In place of maintaining a big list of probes it’s sent, and the time they’ve been out there, and how much longer it should wait for each one, and thoroughly updating the list with every acknowledged response, ZMap just use cyclic multiplicative group to avoid all this
Second, ZMap sends in parallel as many probes as the network bandwidth permits, in order to attain the maximum rate possible. Normally all the probes are sent in a pseudo-random order, so that’s if lot of people do scan together there is no DDOS attack, this way the probability to overload a single network is greatly reduced. Although each successive probe follows a strict algorithmic sequence, the IP numbers randomly bounce around the IPv4 address space. Thus, we don’t get thousands of probes delivered in on a single subnet at the same time.
Because of these reasons with ZMap we can scan about 3.7 billion addresses available for use in IPv4 addresses, in an hour thus ZMap really can crawl across the entire internet.
By default, ZMap will execute a TCP SYN scan on the particular port at the maximum rate possible. A more different configuration will be to scan 10,000 random addresses on port 80 at a maximum 10 Mbps and can be run as follows:
$ ZMap –bandwidth=10M –target-port=80 –max-targets=10000 –output-file=results.csv
You can also use ZMap to scan specific subnets or CIDR blocks. For instance, to scan only 10.0.0.0/8 and 192.168.0.0/16 on port 80, run:
ZMap -p 80 -o results.csv 10.0.0.0/8 192.168.0.0/16
As per cyber security services expert, normally when we use ZMap, it will deliver a list of distinct IP addresses that answered successfully (e.g. with a SYN ACK packet). Also it is recommended to use a blacklist file, with which you can exclude both reserved/unallocated IP space (e.g. multicast, RFC1918), as well as companies or military networks that should be excluded from your scans. By default, ZMap will employ a simple blacklist file having reserved and unallocated addresses and this file can be found in /etc/ZMap/blacklist.conf.