Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Zmap
- $ zmap --bandwidth=10M --target-port=80 --max-target s=10000 --output-file=results.txt
- $ zmap -B 10M -p 80 -n 10000 -o results.txt
- /etc/zmap/blacklist.conf
- multicast, RFC1918
- --dryrun
- --verbosity=n
- -p, --target-port=port -o, --output-file=name -b, --blacklist-file=path
- Scan Options
- -n, --max-targets=n
- Cap the number of targets to probe. This can either be a number (e.g. -n 1000) or a percentage (e.g. -n 0.1%) of the scannable address space (after excluding blacklist)
- -N, --max-results=n
- Exit after receiving this many results
- -t, --max-runtime=secs
- Cap the length of time for sending packets
- -r, --rate=pps
- Set the send rate in packets/sec
- -B, --bandwidth=bps
- Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B10M for 10 mbps). This overrides the --rate flag.
- -c, --cooldown-time=secs
- How long to continue receiving after sending has completed (default=8)
- -e, --seed=n
- Seed used to select address permutation. Use this if you want to scan addresses in the same order for multiple ZMap runs.
- -T, --sender-threads=n
- Threads used to send packets (default=1)
- -P, --probes=n
- Number of probes to send to each IP (default=1)
- -d, --dryrun
- Print out each packet to stdout instead of sending it (useful for debugging)
- Network Options
- -s, --source-port=port|range
- Source port(s) to send packets from
- -S, --source-ip=ip|range
- Source address(es) to send packets from. Either single IP or range (e.g. 10.0.0.1- 10.0.0.9)
- -G, --gateway-mac=addr
- Gateway MAC address to send packets to (in case auto-detection does not work)
- -i, --interface=name
- Network interface to use
- Module Options
- -M, --probe-module=name
- Select probe module (default=tcp_synscan)
- -O, --output-module=name
- Select output module (default=simple_file)
- --probe-args=args
- Arguments to pass to probe module
- --output-args=args
- Arguments to pass to output module
- --list-output-modules
- List available output modules (e.g. tcp_synscan)
- --list-probe-modules
- List available probe modules (e.g. extended_file)
- Additional Options
- -C, --config=filename
- Read a configuration file, which can specify any other options.
- -q, --quiet
- Do not print status updates once per second
- -g, --summary
- Print configuration and summary of results at the end of the scan
- -v, --verbosity=n
- Level of log detail (0-5, default=3)
- -h, --help
- Print help and exit
- -V, --version
- Print version and exit
- TCP SYN Scans
- -p, --target-port=port
- TCP port number to scan (e.g. 443)
- -s, --source-port=port|range
- Source port(s) for scan packets (e.g. 40000-
- 50000)
- Other Stuff
- $ zmap --probe-module=icmp_echoscan
- $ zmap --probe-module=udp -p 53 -N 100 -o - flag
- --summary flag
- Rate Limiting and Sampling
- -r, --rate=pps
- Set maximum send rate in packets/sec
- -B, --bandwidth=bps
- Set send rate in bits/sec (supports suffixes G,
- M, and K). This overrides the --rate flag.
- -n, --max-targets=n
- Cap number of targets to probe
- -N, --max-results=n
- Cap number of results (exit after receiving this many positive results)
- -t, --max-runtime=s
- Cap length of time for sending packets (in seconds)
- -s, --seed=n
- Seed used to select address permutation. Specify the same seed in order to scan addresses in the same order for different ZMap runs.
- ========================================
- Banner Grab
- ========================================
- TCP Banner Grab
- ======
- This utility will connect (TCP) to ip addresses provide over stdin, optionally
- send them a small message, and wait for their response. The response is then
- printed along with their IP address on stdout. Status messages appear on stderr.
- USING:
- -----
- make
- #echo -e -n "GET / HTTP/1.1\r\nHost: %s\r\n\r\n" > http-req
- zmap -p 80 -N 1000 -o - | ./banner-grab-tcp -p 80 -c 100 -d http-req > http-banners.out
- OPTIONS:
- -----
- -c, --concurent Number of connections that can be going on at once.
- This, combined with timeouts, will decide the maximum
- rate at which banners are grabbed. If this value
- is set higher than 1000, you should use
- `ulimit -SSn 1000000` and `ulimit -SHn 1000000` to
- avoid running out of file descriptors (typically capped
- at 1024).
- -p, --port The port which to connect to hosts on
- -t, --conn-timeout Connection timeout (seconds). Give up on a host if connect
- has not completed by this time. Default: 4 seconds.
- -r, --read-timeout Read timeout (seconds). Give up on a host if after
- connecting (and optionally sending data), it does
- not send any response by this time. Default: 4 seconds.
- -v, --verbosity Set status verbosity. Status/error messages are outputed
- on stderr. This value can be 0-5, with 5 being the most
- verbose (LOG_TRACE). Default: 3 (LOG_INFO)
- -f, --format Format to output banner responses. One of 'hex', 'ascii',
- or 'base64'.
- 'hex' outputs ascii hex characters, e.g. 48656c6c6f.
- 'ascii' outputs ascii, without separators, e.g. Hello
- 'base64' outputs base64 encoding, e.g. SGVsbG8=
- Default is base64.
- -d, --data Optional data file. This data will be sent to each host
- upon successful connection. Currently, this file does
- not allow null characters, but supports up to 4
- occurances of the current host's IP address, by replacing
- %s with the string (inet_ntoa) of that host's IP address.
- Writing Probe and Output Modules
- --list-probe-modules
- Lists installed probe modules
- --list-output-modules
- Lists installed output modules
- ==================
- tcp banner grab
- ==================
- banner-grab-tcp
- =======================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement