zmap

Scan a subnet or full IPv4 space for a specific TCP port (default: 80)

$ zmap [SUBNETS] [[-p|--target-ports]] [port]

$ zmap [[-p|--target-ports]] [port1,port2-port3,...] [SUBNETS]

$ zmap [[-o|--output-file]] [path/to/output_file.csv] [[-f|--output-fields]] "[saddr,daddr,sport,dport]" [SUBNETS]

$ zmap [[-r|--rate]] [packets_per_second] [SUBNETS]

$ zmap [[-d|--dryrun]] [SUBNETS]

$ zmap [[-b|--blocklist-file]] [path/to/blocklist.txt] [SUBNETS]

$ zmap [[-S|--source-ip]] [source_ip] [SUBNETS]

$ zmap [[-n|--max-targets]] [1000] [SUBNETS] [[-p|--target-ports]] [port1,port2-port3]

zmap [options]

-p
    Probe destination port.

-B
    Set send bandwidth in bits/second.

-i
    Network interface to send packets from.

-s
    Source IP address for probe packets.

-S
    Source port for probe packets.

-n
    Number of packets to send.

-N
    Number of addresses to scan, same as setting -n but auto-computes number of packets needed to send.

-o
    Output file to write results to.

-f
    Fields to include in the output.

-T
    Protocol to use for probing (e.g., tcp, udp).

--dryrun
    Do not send any packets, just generate addresses.

--list-scan-modules
    Lists available scan modules.

--scan-module=
    Specifies the scan module to use.

--seed=
    Sets the random seed for address generation.

ZMap is a fast, single-packet network scanner designed for performing Internet-wide network research. Unlike traditional port scanners like Nmap, ZMap is designed to scan the entire IPv4 address space quickly and efficiently. It operates by sending a single probe packet for each address, minimizing resource usage and scan time. ZMap is primarily intended for research purposes, such as identifying the prevalence of specific protocols or vulnerabilities across the Internet. It allows researchers to gain valuable insights into network configurations and security practices on a global scale.

The tool has powerful features that support defining custom probe packets and can analyze response traffic in real-time using user-defined callbacks. It is important to emphasize responsible use, because scanning entire networks can raise security and ethical concerns.

Scanning the entire internet or large address blocks can be perceived as malicious activity. Always obtain permission before scanning networks that you do not own or control. Be aware of and adhere to relevant laws and regulations regarding network scanning. The sheer volume of traffic generated by ZMap can overwhelm network infrastructure if not configured carefully. Use appropriate rate limiting and be mindful of the impact on target networks.

ZMap uses a pseudorandom number generator to create the address space to scan. To use a consistent address space, specify a seed value.

ZMap has different scan modules that describe how to probe the address space. These include TCP SYN scans and UDP probes. To list available scan modules, use the --list-scan-modules option.

ZMap was developed by researchers at the University of Michigan as a means to conduct Internet-wide surveys more efficiently than traditional port scanners. Its initial release aimed to overcome the limitations of existing tools that were not optimized for speed and scale. Over time, ZMap has become a valuable tool for network researchers, enabling them to study various aspects of the Internet, such as protocol usage, security vulnerabilities, and the prevalence of specific devices. The development of ZMap has contributed significantly to the field of network security research, providing insights that inform security policies and best practices.

nmap(1), masscan(1)