ZMap (software)
{{Short description|Free and open-source network scanner}}
{{Infobox software
| name = ZMap
| logo = ZMap logo from GitHub.png
| logo alt =
| logo caption =
| screenshot =
| screenshot alt =
| caption =
| collapsible =
| author = University of Michigan{{cite web|url=https://zmap.io/history|title=About the Project|website=The ZMap Project|access-date=10 Aug 2018}}
| released = {{Start date and age|2013|08|16}}
| discontinued =
| ver layout =
| latest release version = 4.2.0
| latest release date = {{Start date and age|2024|07|10}}
| latest preview version =
| latest preview date =
| repo = {{URL|https://github.com/zmap/zmap}}
| programming language = C
| operating system = Cross-platform
| platform =
| size =
| language = English
| language count =
| language footnote =
| genre = computer security, network management
| license = Apache License 2.0{{cite web|url=https://github.com/zmap/zmap|title=GitHub - zmap/zmap|website=GitHub|date=2 Jul 2018|access-date=10 Aug 2018}}
| alexa =
| website = {{URL|https://zmap.io/}}
| standard =
| AsOf =
}}
ZMap is a free and open-source security scanner that was developed as a faster alternative to Nmap. ZMap was designed for information security research and can be used for both white hat and black hat purposes. The tool is able to discover vulnerabilities and their impact, and detect affected IoT devices.
Using one gigabit per second of network bandwidth, ZMap can scan the entire IPv4 address space in 44 minutes on a single port.{{cite web|url=https://nakedsecurity.sophos.com/2013/08/20/welcome-to-zmap-the-one-hour-turnaround-internet-scanner/|title=Welcome to Zmap, the "one hour turnaround" internet scanner.|last=Ducklin|first=Paul|date=20 Aug 2013|website=Sophos|access-date=10 Aug 2018}} With a ten gigabit connection, ZMap scan can complete a scan in under five minutes.{{Cite journal|last=Adrian|first=David|date=2014|title=Zippier ZMap: Internet-Wide Scanning at 10 Gbps|url=https://www.usenix.org/system/files/conference/woot14/woot14-adrian.pdf|journal=USENIX Workshop on Offensive Technologies}}
Operation
ZMap iterates on techniques utilized by its predecessor, Nmap, by altering the scanning method in a few key areas. Nmap sends out individual signals to each IP address and waits for a reply. As replies return, Nmap compiles them into a database to keep track of responses, a process that slows down the scanning process. In contrast, ZMap uses cyclic multiplicative groups, which allows ZMap to scan the same space roughly 1,300 times faster than Nmap.{{Cite book |last=De Santis |first=Giulia |url=http://docnum.univ-lorraine.fr/public/DDOC_T_2018_0201_DE_SANTIS.pdf |title=Modeling and Recognizing Network Scanning Activities with Finite Mixture Models and Hidden Markov Models |publisher=Université de Lorraine |year=2018}} The ZMap software takes every number from 1 to 232-1 and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order. Building the initial list of numbers for every IP address takes upfront time, but it is a fraction of what is required to aggregate a list of every sent and received probe. This process ensures that once ZMap starts sending probes out to different IPs, an accidental denial of service could not occur because an abundance of transmissions would not converge on one subnet at the same time.{{cite web|url=https://www.vice.com/en/article/now-you-can-scan-the-internet-in-under-an-hour/|title=Now You Can Scan the Entire Internet in Under an Hour|last=Berko|first=Lex|website=Motherboard|date=19 Aug 2013|access-date=10 Aug 2018}}
ZMap also speeds up the scanning process by sending a probe to every IP address only once by default, whereas Nmap resends a probe when it detects a connection delay or fails to get a reply.{{Cite book|doi=10.1109/NTMS.2016.7792461|url=https://hal.inria.fr/hal-01404127/document|chapter=Modeling of IP Scanning Activities with Hidden Markov Models: Darknet Case Study|title=2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS)|pages=1–5|year=2016|last1=De Santis|first1=Giulia|last2=Lahmadi|first2=Abdelkader|last3=Francois|first3=Jerome|last4=Festor|first4=Olivier|isbn=978-1-5090-2914-3|s2cid=12786563}} This results in about 2% of IP addresses being missed during a typical scan, but when processing billions of IP address, or potential IoT devices being targeted by cyberattackers, 2% is an acceptable tolerance.
Usage
ZMap can be used for both vulnerability detection and exploitation.{{Cite book|doi=10.1145/2810103.2813703|url=http://mdbailey.ece.illinois.edu/publications/ccs15_censys.pdf|chapter=A Search Engine Backed by Internet-Wide Scanning|title=Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15|pages=542–553|year=2015|last1=Durumeric|first1=Zakir|last2=Adrian|first2=David|last3=Mirian|first3=Ariana|last4=Bailey|first4=Michael|last5=Halderman|first5=J. Alex|isbn=9781450338325|s2cid=9808635}}
The application has been used for port 443 scans to estimate power outages during Hurricane Sandy in 2013. One of the developers of ZMap, Zakir Durumeric, used his software to determine a computer's online state, vulnerabilities, operating system, and services.{{Cite book|doi=10.1109/ICTC.2016.7763561|chapter=Implementation and vulnerability test of stealth port scanning attacks using ZMap of censys engine|title=2016 International Conference on Information and Communication Technology Convergence (ICTC)|pages=681–683|year=2016|last1=Lee|first1=Seungwoon|last2=Im|first2=Sun-Young|last3=Shin|first3=Seung-Hun|last4=Roh|first4=Byeong-hee|last5=Lee|first5=Cheolho|isbn=978-1-5090-1325-8|s2cid=13876287}}{{Cite journal |last1=De Santis |first1=Giulia |last2=Lahmadi |first2=Abdelkader |last3=François |first3=Jérôme |last4=Festor |first4=Olivier |title=Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models |url=https://hal.inria.fr/hal-01935664/document |journal=2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS) |publisher=IEEE |pages=1–5}} ZMap has also been used to detect vulnerabilities in universal plug and play devices and search for weak public keys in HTTPS website logs.{{Cite book|doi=10.1109/EIConRus.2017.7910503|chapter=Analysis of current internet wide scan effectiveness|title=2017 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EICon Rus)|pages=96–99|year=2017|last1=Arzhakov|first1=Anton V|last2=Babalova|first2=Irina F|isbn=978-1-5090-4865-6|s2cid=44797603}}
See also
{{Portal|Free and open-source software}}
References
{{reflist}}