Zmap commands

Zmap

$ zmap --bandwidth=10M --target-port=80 --max-target s=10000 --output-file=results.txt


$ zmap -B 10M -p 80 -n 10000 -o results.txt


/etc/zmap/blacklist.conf

multicast, RFC1918

--dryrun

--verbosity=n

-p, --target-port=port -o, --output-file=name -b, --blacklist-file=path


Scan Options


-n, --max-targets=n

Cap the number of targets to probe. This can either be a number (e.g. -n 1000) or a percentage (e.g. -n 0.1%) of the scannable address space (after excluding blacklist)

-N, --max-results=n

 Exit after receiving this many results

-t, --max-runtime=secs

 Cap the length of time for sending packets

-r, --rate=pps

 Set the send rate in packets/sec

-B, --bandwidth=bps

Set the send rate in bits/second (supports suffixes G, M, and K (e.g.  -B10M  for 10 mbps). This overrides the  --rate  flag.

-c, --cooldown-time=secs

 How long to continue receiving after sending has completed (default=8)

-e, --seed=n

 Seed used to select address permutation. Use this if you want to scan addresses in the same order for multiple ZMap runs.


-T, --sender-threads=n

Threads used to send packets (default=1)

 -P, --probes=n

Number of probes to send to each IP (default=1)

 -d, --dryrun

Print out each packet to stdout instead of sending it (useful for debugging)


Network Options
-s, --source-port=port|range

Source port(s) to send packets from

-S, --source-ip=ip|range

Source address(es) to send packets from. Either single IP or range (e.g. 10.0.0.1- 10.0.0.9)

 -G, --gateway-mac=addr

Gateway MAC address to send packets to (in case auto-detection does not work)

-i, --interface=name

 Network interface to use


Module Options


 -M, --probe-module=name

Select probe module (default=tcp_synscan)

 -O, --output-module=name

Select output module (default=simple_file)

 --probe-args=args

Arguments to pass to probe module

 --output-args=args

Arguments to pass to output module

 --list-output-modules

List available output modules (e.g. tcp_synscan)

--list-probe-modules

 List available probe modules (e.g. extended_file)


Additional Options

-C, --config=filename

 Read a configuration file, which can specify any other options.

-q, --quiet

 Do not print status updates once per second

-g, --summary

 Print configuration and summary of results at the end of the scan

-v, --verbosity=n

 Level of log detail (0-5, default=3)


-h, --help

 Print help and exit


-V, --version

 Print version and exit


TCP SYN Scans

 -p, --target-port=port

TCP port number to scan (e.g. 443)

-s, --source-port=port|range

 Source port(s) for scan packets (e.g. 40000-
50000)


 Other Stuff

$ zmap --probe-module=icmp_echoscan


$ zmap --probe-module=udp -p 53 -N 100 -o - flag

 --summary flag


Rate Limiting and Sampling

-r, --rate=pps

Set maximum send rate in packets/sec

-B, --bandwidth=bps

 Set send rate in bits/sec (supports suffixes G,
M, and K). This overrides the --rate flag.


-n, --max-targets=n
Cap number of targets to probe

-N, --max-results=n


Cap number of results (exit after receiving this            many positive results)


-t, --max-runtime=s

 Cap length of time for sending packets (in seconds)

-s, --seed=n

 Seed used to select address permutation. Specify the same seed in order to scan addresses in the same order for different ZMap runs.


========================================
                     Banner Grab
========================================

TCP Banner Grab
======

This utility will connect (TCP) to ip addresses provide over stdin, optionally
send them a small message, and wait for their response. The response is then
printed along with their IP address on stdout. Status messages appear on stderr.


USING:
-----
make
#echo -e -n "GET / HTTP/1.1\r\nHost: %s\r\n\r\n" > http-req
zmap -p 80 -N 1000 -o - | ./banner-grab-tcp -p 80 -c 100 -d http-req > http-banners.out


OPTIONS:
-----
-c, --concurent         Number of connections that can be going on at once.
                        This, combined with timeouts, will decide the maximum
                        rate at which banners are grabbed. If this value
                        is set higher than 1000, you should use
                        `ulimit -SSn 1000000` and `ulimit -SHn 1000000` to
                        avoid running out of file descriptors (typically capped
                        at 1024).

-p, --port              The port which to connect to hosts on

-t, --conn-timeout      Connection timeout (seconds). Give up on a host if connect
                        has not completed by this time. Default: 4 seconds.

-r, --read-timeout      Read timeout (seconds). Give up on a host if after
                        connecting (and optionally sending data), it does
                        not send any response by this time. Default: 4 seconds.

-v, --verbosity         Set status verbosity. Status/error messages are outputed
                        on stderr. This value can be 0-5, with 5 being the most
                        verbose (LOG_TRACE). Default: 3 (LOG_INFO)

-f, --format            Format to output banner responses. One of 'hex', 'ascii',
                        or 'base64'.
                        'hex' outputs ascii hex characters, e.g. 48656c6c6f.
                        'ascii' outputs ascii, without separators, e.g. Hello
                        'base64' outputs base64 encoding, e.g. SGVsbG8=
                        Default is base64.

-d, --data              Optional data file. This data will be sent to each host
                        upon successful connection. Currently, this file does
                        not allow null characters, but supports up to 4
                        occurances of the current host's IP address, by replacing
                        %s with the string (inet_ntoa) of that host's IP address.


Writing Probe and Output Modules

 --list-probe-modules

Lists installed probe modules

 --list-output-modules

Lists installed output modules


==================
 tcp banner grab
==================


banner-grab-tcp

=======================