ZMap (software) explained

ZMap
Author:University of Michigan[1]
Developer:The ZMap Team
Latest Release Version:3.0.0
Programming Language:C
Operating System:Cross-platform
Language:English
Genre:computer security, network management
License:Apache License 2.0[2]

ZMap is a free and open-source security scanner that was developed as a faster alternative to Nmap. ZMap was designed for information security research and can be used for both white hat and black hat purposes. The tool is able to discover vulnerabilities and their impact, and detect affected IoT devices.

Using one gigabit per second of network bandwidth, ZMap can scan the entire IPv4 address space in 44 minutes on a single port.[3] With a ten gigabit connection, ZMap scan can complete a scan in under five minutes.[4]

Operation

ZMap iterates on techniques utilized by its predecessor, Nmap, by altering the scanning method in a few key areas. Nmap sends out individual signals to each IP address and waits for a reply. As replies return, Nmap compiles them into a database to keep track of responses, a process that slows down the scanning process. In contrast, ZMap uses cyclic multiplicative groups, which allows ZMap to scan the same space roughly 1,300 times faster than Nmap.[5] The ZMap software takes every number from 1 to 232-1 and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order. Building the initial list of numbers for every IP address takes upfront time, but it is a fraction of what is required to aggregate a list of every sent and received probe. This process ensures that once ZMap starts sending probes out to different IPs, an accidental denial of service could not occur because an abundance of transmissions would not converge on one subnet at the same time.[6]

ZMap also speeds up the scanning process by sending a probe to every IP address only once by default, whereas Nmap resends a probe when it detects a connection delay or fails to get a reply.[7] This results in about 2% of IP addresses being missed during a typical scan, but when processing billions of IP address, or potential IoT devices being targeted by cyberattackers, 2% is an acceptable tolerance.

Usage

ZMap can be used for both vulnerability detection and exploitation.[8]

The application has been used for port 443 scans to estimate power outages during Hurricane Sandy in 2013. One of the developers of ZMap, Zakir Durumeric, used his software to determine a computer's online state, vulnerabilities, operating system, and services.[9] [10] ZMap has also been used to detect vulnerabilities in universal plug and play devices and search for weak public keys in HTTPS website logs.[11]

See also

External links

Notes and References

  1. Web site: About the Project. The ZMap Project. 10 Aug 2018.
  2. Web site: GitHub - zmap/zmap. GitHub. 2 Jul 2018. 10 Aug 2018.
  3. Web site: Welcome to Zmap, the "one hour turnaround" internet scanner.. Ducklin. Paul. 20 Aug 2013. Sophos. 10 Aug 2018.
  4. Adrian. David. 2014. Zippier ZMap: Internet-Wide Scanning at 10 Gbps. USENIX Workshop on Offensive Technologies.
  5. Book: De Santis, Giulia . Modeling and Recognizing Network Scanning Activities with Finite Mixture Models and Hidden Markov Models . Université de Lorraine . 2018.
  6. Web site: Now You Can Scan the Entire Internet in Under an Hour. Berko. Lex. Motherboard. 19 Aug 2013. 10 Aug 2018.
  7. Book: 10.1109/NTMS.2016.7792461. 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). Modeling of IP Scanning Activities with Hidden Markov Models: Darknet Case Study. 1–5. 2016. De Santis. Giulia. Lahmadi. Abdelkader. Francois. Jerome. Festor. Olivier. 978-1-5090-2914-3. 12786563.
  8. Book: 10.1145/2810103.2813703. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15. A Search Engine Backed by Internet-Wide Scanning. 542–553. 2015. Durumeric. Zakir. Adrian. David. Mirian. Ariana. Bailey. Michael. Halderman. J. Alex. 9781450338325. 9808635.
  9. Book: 10.1109/ICTC.2016.7763561. Implementation and vulnerability test of stealth port scanning attacks using ZMap of censys engine. 2016 International Conference on Information and Communication Technology Convergence (ICTC). 681–683. 2016. Lee. Seungwoon. Im. Sun-Young. Shin. Seung-Hun. Roh. Byeong-hee. Lee. Cheolho. 978-1-5090-1325-8. 13876287.
  10. De Santis . Giulia . Lahmadi . Abdelkader . François . Jérôme . Festor . Olivier . Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models . 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS) . IEEE . 1–5.
  11. Book: 10.1109/EIConRus.2017.7910503. Analysis of current internet wide scan effectiveness. 2017 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EICon Rus). 96–99. 2017. Arzhakov. Anton V. Babalova. Irina F. 978-1-5090-4865-6. 44797603.