loading
loading
Network
ZMap is a fast single-packet network scanner designed for internet-wide network surveys.
overview
zmap scans enormous IP ranges by sending a single stateless packet per target and listening for responses, rather than tracking per-connection state. That design covers huge address spaces at very high packet rates, which is why teams use it for internet-wide surveys and for sweeping large internal ranges for a specific open port.
You control the scan with probe and pacing options. A probe module such as tcp_synscan decides what packets go out, --target-ports sets which ports to test, and --rate or --bandwidth caps how fast it sends so you stay within your link and your rules of engagement. Allowlist and blocklist files constrain the scan to or away from specific CIDR ranges, and sharding splits one scan across machines.
On Trickest, zmap is a Network node that reads a target range and writes a file and a folder of responsive hosts. Run it as the first stage of a wide survey to find which addresses answer on a port, then feed those results to a banner grabber that fingerprints each open service.
source github.com/zmap/zmap
use cases
Run a SYN scan across a CIDR block or a list of IPs to find every host answering on a target port, fast enough to cover internet-scale address space.
Cap the send rate or bandwidth so the scan respects your link capacity and your rules of engagement instead of saturating the network.
Use allowlist and blocklist files in CIDR notation to keep the scan inside the ranges you are authorized to test and out of ones you must avoid.
Pass the responsive hosts to zgrab2 so each open port gets a full application grab, turning a list of open ports into identified services.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-ports | STRING | --target-ports | Comma-delimited list of ports and port ranges to scan. |
| probe-module | STRING | --probe-module | Select probe module (default tcp_synscan). |
| rate | STRING | --rate | Set send rate in packets per second. |
| bandwidth | STRING | --bandwidth | Set send rate in bits per second (supports G, M, K suffixes). |
| allowlist-file | FILE | --allowlist-file | File of subnets to constrain the scan to, in CIDR notation. |
| blocklist-file | FILE | --blocklist-file | File of subnets to exclude, in CIDR notation. |
| output-fields | STRING | --output-fields | Fields that should be output in the result set. |
| max-targets | STRING | --max-targets | Cap number of targets to probe (a number or a percentage of the address space). |
Showing key inputs. zmap exposes 50 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| rate | STRING | --rate | Set send rate in packets/sec |
| seed | STRING | --seed | Seed used to select address permutation |
| batch | STRING | --batch | Set the number of packets to send per iteration |
| cores | STRING | --cores | Comma-separated list of cores to pin to |
| notes | STRING | --notes | Inject user-specified notes into scan metadata |
| quiet | BOOLEAN | --quiet | Do not print status updates |
| shard | STRING | --shard | Set which shard this scan is (0 indexed) (default=`0') |
| config | FILE | --config | Read a configuration file, which can specify any of these options |
| dryrun | BOOLEAN | --dryrun | Don't actually send packets |
| probes | STRING | --probes | Number of probes to send to each IP (default=`1') |
| shards | STRING | --shards | Set the total number of shards (default=`1`) |
| iplayer | BOOLEAN | --iplayer | Sends IP packets instead of Ethernet (for VPNs) |
| retries | STRING | --retries | Max number of times to try to send packet if send fails (default=`10') |
| bandwidth | STRING | --bandwidth | Set send rate in bits/second (supports suffixes G, M and K) |
| interface | STRING | --interface | Specify network interface to use |
| probe-ttl | STRING | --probe-ttl | Set TTL value for probe IP packets (default=`255') |
| source-ip | STRING | --source-ip | Source address(es) for scan packets (ip or range) |
| verbosity | STRING | --verbosity | Level of log detail (0-5) (default `3') |
| probe-args | STRING | --probe-args | Arguments to pass to probe module |
| source-mac | STRING | --source-mac | Source MAC address |
| fast-dryrun | BOOLEAN | --fast-dryrun | Don't actually send packets, print out a binary representation probe dst IP and dst Port. Used for faster integration tests, not for general use. |
| gateway-mac | STRING | --gateway-mac | Specify gateway MAC address |
| max-results | STRING | --max-results | Cap number of results to return |
| max-runtime | STRING | --max-runtime | Cap length of time for sending packets |
| max-targets | STRING | --max-targets | Cap number of targets to probe (as a number or a percentage of the address space) |
| min-hitrate | STRING | --min-hitrate | Minimum hitrate that scan can hit before scan is aborted (default=`-1') |
| output-args | STRING | --output-args | Arguments to pass to output module |
| source-port | STRING | --source-port | Source port(s) for scan packets (port or range) |
| dedup-method | STRING | --dedup-method | Specifies how response deduplication should be performed. Options: default, none, full, window |
| probe-module | STRING | --probe-module | Select probe module (default `tcp_synscan') |
| target-ports | STRING | --target-ports | comma-delimited list of ports and port ranges to scan (for TCP and UDP scans) |
| cooldown-time | STRING | --cooldown-time | How long to continue receiving after sending last probe (default=`8') |
| no-header-row | BOOLEAN | --no-header-row | Precludes outputting any header rows in data (e.g., CSV headers) |
| output-fields | STRING | --output-fields | Fields that should be output in result set |
| output-filter | STRING | --output-filter | Specify a filter over the response fields to limit what responses get sent to the output module |
| output-module | STRING | --output-module | Select output module |
| user-metadata | FILE | --user-metadata | Inject user-specified JSON metadata into scan (JSON) |
| allowlist-file | FILE | --allowlist-file | File of subnets to constrain scan to, in CIDR notation, e.g. 192.168.0.0/16 |
| blocklist-file | FILE | --blocklist-file | File of subnets to exclude, in CIDR notation, e.g. 192.168.0.0/16 |
| disable-syslog | BOOLEAN | --disable-syslog | Disables logging messages to syslog |
| sender-threads | STRING | --sender-threads | Threads used to send packets (default `4') |
| list-of-ips-file | FILE | --list-of-ips-file | List of individual addresses to scan in random order. Use --white-list file unless >1 million IPs |
| netmap-wait-ping | STRING | --netmap-wait-ping | Wait for IP to respond to ping before commencing scan (netmap only) |
| dedup-window-size | STRING | --dedup-window-size | Specifies window size for how many recent responses to keep in memory for deduplication (default=`1000000`) |
| list-output-fields | BOOLEAN | --list-output-fields | List all fields that can be output by selected probe module |
| list-probe-modules | BOOLEAN | --list-probe-modules | List available probe modules |
| list-output-modules | BOOLEAN | --list-output-modules | List available output modules |
| max-sendto-failures | STRING | --max-sendto-failures | Maximum NIC sendto failures before scan is aborted (default=`-1') |
| validate-source-port | STRING | --validate-source-port | Override to validate if probe responses have a valid src port corresponding to sent probe's dst port. "enable" or "disable" |
| ignore-blocklist-errors | BOOLEAN | --ignore-blocklist-errors | --ignore-blocklist-errors Ignore invalid entries in allowlist/blocklist |
example
# SYN sweep allowlisted docs CIDR for web ports (scope.txt holds 198.51.100.0/24)zmap --target-ports=80,443 --rate=10000 --allowlist-file=scope.txt --output-fields=saddr,dportsaddr,dport198.51.100.10,80198.51.100.10,443198.51.100.23,443198.51.100.64,80203.0.113.15,443203.0.113.40,80203.0.113.40,443guidance
Use zmap to sweep very large IP ranges for open ports at high speed. It finds responsive hosts, it does not fingerprint them, so follow it with a banner grabber like zgrab2. For deeper per-host port and service detail on a smaller set, use nmap or naabu.
Another stateless internet-scale port scanner. zmap pairs cleanly with zgrab2 for grabbing.
Fast SYN/CONNECT port scanner for host lists. Better for targeted ranges than internet-wide sweeps.
Deep per-host port and service scanner. Slower, far richer detail on a smaller scope.
faq
related
Quickly map an organization's network ranges using ASN information.
Maximize your resolver count by combining the target's DNS servers with public resolvers.
Expand CIDR ranges into a list of IP addresses easily.
Expand CIDR ranges into a list of IP addresses easily, from a file.
Maintain a list of IPv4 DNS servers verified against baseline servers for accurate responses.
Patched dnsvalidator that keeps only IPv4 resolvers verified against baseline servers.
A CIDR range feeds zmap, which finds responsive hosts on a port and passes them to zgrab2-http so identified services land as a queryable output.
Facts on this page come from the live Trickest tool library.