zmap

zmap とは、オープンソース の高速なインターネットスキャナーです。４５分で、IPv4 アドレス空間のスキャンを実行できます。

読み方

zmap

ぜっとまっぷ

概要

ネットワークスキャンツールとして nmap が有名ですが、nmap でのネットワーク調査に時間がかかることもあり、zmapは、高速化のために、ステートレス化を行いました。

• TCP/IPスタックを省略し、Ethernet フレームを直接生成します
• コネクションステートをトラッキングしません
• タイムアウトによる再送処理を行いません

ソースコードの取得

git clone git://github.com/zmap/zmap.git

インストール

ビルド

Kali Linux

Kali Linuxの環境でのビルド方法です。

sudo apt-get install libgmp3-dev libpcap-dev gengetopt
sudo apt-get install cmake
sudo apt-get install byacc flex

cmake CMakeLists.txt
make

使い方

コマンドラインオプション

root@kali:~/# zmap  -h
zmap 1.0.0
 
A fast Internet-wide scanner.
 
Usage: zmap [OPTIONS]... [SUBNETS]...
 
Basic arguments:
  -p, --target-port=port        TCP port number to scan (for SYN scans)
  -o, --output-file=name        Output file
  -b, --blacklist-file=path     File of subnets to exclude, in CIDR notation, 
                                  e.g. 192.168.0.0/16
  -w, --whitelist-file=path     File of subnets to constrain scan to, in CIDR 
                                  notation, e.g. 192.168.0.0/16
  -f, --output-fields=fields    Fields that should be output in result set
 
Scan options:
  -n, --max-targets=n           Cap number of targets to probe (as a number or 
                                  a percentage of the address space)
  -N, --max-results=n           Cap number of results to return
  -t, --max-runtime=ses         Cap length of time for sending packets
  -r, --rate=pps                Set send rate in packets/sec
  -B, --bandwidth=bps           Set send rate in bits/second (supports suffixes 
                                  G, M and K)
  -c, --cooldown-time=secs      How long to continue receiving after sending 
                                  last probe  (default=`8')
  -e, --seed=n                  Seed used to select address permutation
  -T, --sender-threads=n        Threads used to send packets  (default=`1')
  -P, --probes=n                Number of probes to send to each IP  
                                  (default=`1')
  -d, --dryrun                  Don't actually send packets
 
Network options:
  -s, --source-port=port|range  Source port(s) for scan packets
  -S, --source-ip=ip|range      Source address(es) for scan packets
  -G, --gateway-mac=addr        Specify gateway MAC address
  -i, --interface=name          Specify network interface to use
  -X, --vpn                     Sends IP packets instead of Ethernet (for VPNs)
 
Advanced options:
  -M, --probe-module=name       Select probe module  (default=`tcp_synscan')
  -O, --output-module=name      Select output module  (default=`default')
      --probe-args=args         Arguments to pass to probe module
      --output-args=args        Arguments to pass to output module
      --output-filter=filter    Specify a filter over the response fields to 
                                  limit what responses get sent to the output 
                                  module
      --list-output-modules     List available output modules
      --list-probe-modules      List available probe modules
      --list-output-fields      List all fields that can be output by selected 
                                  probe module
 
Additional options:
  -C, --config=filename         Read a configuration file, which can specify 
                                  any of these options  
                                  (default=`/etc/zmap/zmap.conf')
  -q, --quiet                   Do not print status updates
  -g, --summary                 Print configuration and summary at end of scan
  -v, --verbosity=n             Level of log detail (0-5)  (default=`3')
  -h, --help                    Print help and exit
  -V, --version                 Print version and exit
 
Examples:
     zmap -p 443  (scans the whole Internet for hosts with port 443 open)
     zmap -N 5 -B 10M -p 80 -o -  (find 5 HTTP servers, scanning at 10 Mb/s)
 
     zmap -p 80 10.0.0.0/8 192.168.0.0/16 -o (scan 10.0.0.0/8 and 
192.168.0.0/16 on port 80)
 
     zmap -p 80 192.168.1.2 192.168.1.3 (scan 192.168.1.2 and 192.168.1.3 on 
port 80)
 
selected probe-module (tcp_synscan) help
Probe module that sends a TCP SYN packet to a specific port. Possible
classifications are: synack and rst. A SYN-ACK packet is considered a success
and a reset packet is considered a failed response.
 
selected output-module (csv) help
no help text available

テスト

root@kali:~/tmp/zmap# zmap -p 80 203.216.235.0/24 -o a.txt --summary
Oct 29 11:06:50.660 [WARN] blacklist: ZMap is currently using the default
blacklist located at /etc/zmap/blacklist.conf. By default, this blacklist
excludes locally scoped networks (e.g. 10.0.0.0/8, 127.0.0.1/8, and
192.168.0.0/16). If you are trying to scan local networks, you can change the
default blacklist by editing the default ZMap configuration at
/etc/zmap/zmap.conf.
Oct 29 11:06:50.661 [INFO] zmap: started
 0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hits: 0.00%
 0:01 13%; send: 256 done (13.2 Kp/s avg); recv: 100 99 p/s (98 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
 0:02 25%; send: 256 done (13.2 Kp/s avg); recv: 100 0 p/s (49 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
 0:03 38%; send: 256 done (13.2 Kp/s avg); recv: 100 0 p/s (33 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
 0:04 50%; send: 256 done (13.2 Kp/s avg); recv: 100 0 p/s (24 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
 0:05 63% (3s left); send: 256 done (13.2 Kp/s avg); recv: 100 0 p/s (19 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
 0:06 75% (2s left); send: 256 done (13.2 Kp/s avg); recv: 100 0 p/s (16 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
 0:07 87% (1s left); send: 256 done (13.2 Kp/s avg); recv: 100 0 p/s (14 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
 0:08 100% (0s left); send: 256 done (13.2 Kp/s avg); recv: 100 0 p/s (12 p/s avg); drops: 0 p/s (0 p/s avg); hits: 39.06%
cnf     target-port     80
cnf     source-port-range-begin 32768
cnf     source-port-range-end   61000
cnf     source-addr-range-begin 192.168.60.128
cnf     source-addr-range-end   192.168.60.128
cnf     maximum-targets 4294967295
cnf     maximum-runtime 0
cnf     maximum-results 4294967295
cnf     permutation-seed        0
cnf     cooldown-period 8
cnf     send-interface  eth0
cnf     rate    0
cnf     bandwidth       0
env     nprocessors     1
exc     send-start-time Tue Oct 29 11:06:50 2013
exc     send-end-time   Tue Oct 29 11:06:50 2013
exc     recv-start-time Tue Oct 29 11:06:50 2013
exc     recv-end-time   Tue Oct 29 11:06:58 2013
exc     sent    256
exc     blacklisted     65390
exc     first-scanned   887871691
exc     hit-rate        39.062500
exc     success-total   217
exc     success-unique  100
exc     success-cooldown-total  213
exc     success-cooldown-unique 96
exc     failure-total   0
exc     sendto-failures 0
adv     permutation-gen 58498
exc     scan-type       tcp_synscan
Oct 29 11:06:59.718 [INFO] zmap: completed

root@kali:~/tmp/zmap# wc a.txt
 100  100 1562 a.txt
root@kali:~/tmp/zmap# head a.txt
203.216.235.9
203.216.235.179
203.216.235.133
203.216.235.191
203.216.235.115
203.216.235.134
203.216.235.10
203.216.235.202
203.216.235.197
203.216.235.199

関連項目

• nmap
• セキュリティ診断ツール