https://github.com/zmap/zmap
ZMap is a fast single packet network scanner designed for Internet-wide network surveys. On a typical desktop computer with a gigabit Ethernet connection, ZMap is capable scanning the entire public IPv4 address space in under 45 minutes. With a 10gigE connection and PF_RING, ZMap can scan the IPv4 address space in under 5 minutes.
ZMap operates on GNU/Linux, Mac OS, and BSD. ZMap currently has fully implemented probe modules for TCP SYN scans, ICMP, DNS queries, UPnP, BACNET, and can send a large number of UDP probes. If you are looking to do more involved scans, e.g., banner grab or TLS handshake, take a look at ZGrab, ZMap's sister project that performs stateful application-layer handshakes.
Installation
The latest stable release of ZMap is version 2.1.1 and supports Linux, macOS, and BSD. We recommend installing ZMap from HEAD rather than using a distro package manager.
Instructions on building ZMap from source can be found in INSTALL.
Zmap
Zmap采用了无状态的扫描技术,没有进行完整的TCP三次握手,因此扫描速度极大提升。Zmap的基本功能是扫描发现主机的开放端口。
l 设置扫描数量和扫描时间;
l 设置扫描速率,由于Zmap会以网络适配器支持的最快速率进行扫描,不会根据上游流量提供商自动调整发送速率,需要手动调整,来减少丢包和不正确的结果。可以通过设置每秒发包数量或带宽进行调整;
l 设置扫描源端口、源IP,伪造网关MAC地址进行伪装。
l 结果输出默认csv格式,经过额外的配置可输出redis和JSON;用户也可以用官方提供的API自己编写输出模块。
l 扫描模式,支持TCPSYN、ICMP echo、UDP三种扫描模式,用户也可以用官方提供的API自己编写探测模块。
l Banner获取,Zmap并不直接提供Banner获取功能,需要编写扩展模块,不过开发者已经为我们提供了一个样本。详情见后文。
On RHEL- and Fedora-based systems (including CentOS):
sudo yum install cmake gmp-devel gengetopt libpcap-devel flex byacc json-c-devel libunistring-devel
Building and Installing ZMap
Once these prerequisites are installed, ZMap can be compiled by running:
cmake .
make -j4
and then installed via sudo make install.
[root@ src]# make -j4
[ 1%] Generating zbopt.h
[ 2%] make[2]: gengetopt: Command not found
make[2]: *** [zbopt.h] Error 127
找到gengetopt的安装地址 link
这里我选择了最新版本
wget ftp://ftp.gnu.org/gnu/gengetopt/gengetopt-2.22.6.tar.gz
tar -zvxf gengetopt-2.22.6.tar.gz
cd gengetopt-2.22.6
./configure
make
make install
make的时候如果提示g++: command not found:
yum -y install gcc+ gcc-c++
git clone https://github.com/zmap/zmap
cd zmap/
cmake .
make -j4
make install
[root@ zmap-master]# zmap -h
zmap Development Build. Commit UNKNOWN
A fast Internet-wide scanner.
Usage: zmap [OPTIONS]... [SUBNETS]...
Basic arguments:
-p, --target-port=port port number to scan (for TCP and UDP scans)
-o, --output-file=name Output file
-b, --blocklist-file=path File of subnets to exclude, in CIDR notation,
e.g. 192.168.0.0/16
-w, --allowlist-file=path File of subnets to constrain scan to, in CIDR
notation, e.g. 192.168.0.0/16
-I, --list-of-ips-file=path List of individual addresses to scan in random
order. Use --white-list file unless >1
million IPs
Scan options:
-r, --rate=pps Set send rate in packets/sec
-B, --bandwidth=bps Set send rate in bits/second (supports suffixes
G, M and K)
--batch=pps Set the number of packets to send per iteration
-n, --max-targets=n Cap number of targets to probe (as a number or
a percentage of the address space)
-t, --max-runtime=secs Cap length of time for sending packets
-N, --max-results=n Cap number of results to return
-P, --probes=n Number of probes to send to each IP
(default=`1')
-c, --cooldown-time=secs How long to continue receiving after sending
last probe (default=`8')
-e, --seed=n Seed used to select address permutation
--retries=n Max number of times to try to send packet if
send fails (default=`10')
-d, --dryrun Don't actually send packets
--shards=N Set the total number of shards (default=`1')
--shard=n Set which shard this scan is (0 indexed)
(default=`0')
Network options:
-s, --source-port=port|range Source port(s) for scan packets
-S, --source-ip=ip|range Source address(es) for scan packets
-G, --gateway-mac=addr Specify gateway MAC address
--source-mac=addr Source MAC address
-i, --interface=name Specify network interface to use
-X, --iplayer Sends IP packets instead of Ethernet (for VPNs)
Probe Modules:
-M, --probe-module=name Select probe module (default=`tcp_synscan')
--probe-args=args Arguments to pass to probe module
--probe-ttl=n Set TTL value for probe IP packets
(default=`255')
--list-probe-modules List available probe modules
Data Output:
-f, --output-fields=fields Fields that should be output in result set
-O, --output-module=name Select output module (default=`default')
--output-args=args Arguments to pass to output module
--output-filter=filter Specify a filter over the response fields to
limit what responses get sent to the output
module
--list-output-modules List available output modules
--list-output-fields List all fields that can be output by selected
probe module
Logging and Metadata:
-v, --verbosity=n Level of log detail (0-5) (default=`3')
-l, --log-file=name Write log entries to file
-L, --log-directory=directory Write log entries to a timestamped file in this
directory
-m, --metadata-file=name Output file for scan metadata (JSON)
-u, --status-updates-file=name
Write scan progress updates to CSV file
-q, --quiet Do not print status updates
--disable-syslog Disables logging messages to syslog
--notes=notes Inject user-specified notes into scan metadata
--user-metadata=json Inject user-specified JSON metadata into scan
metadata
Additional options:
-C, --config=filename Read a configuration file, which can specify
any of these options
(default=`/etc/zmap/zmap.conf')
--max-sendto-failures=n Maximum NIC sendto failures before scan is
aborted (default=`-1')
--min-hitrate=n Minimum hitrate that scan can hit before scan
is aborted (default=`0.0')
-T, --sender-threads=n Threads used to send packets (default=`1')
--cores=STRING Comma-separated list of cores to pin to
--ignore-invalid-hosts Deprecated; use --ignore-blocklist-errors
instead
--ignore-blocklist-errors Ignore invalid entries in allowlist/blocklist
file. Equivalent to --ignore-invalid-hosts
-h, --help Print help and exit
-V, --version Print version and exit
Examples:
zmap -p 80 (scan the Internet for hosts on tcp/80 and output to stdout)
zmap -N 5 -B 10M -p 80 (find 5 HTTP servers, scanning at 10 Mb/s)
zmap -p 80 10.0.0.0/8 192.168.0.0/16 -o (scan both subnets on tcp/80)
zmap -p 80 1.2.3.4 10.0.0.3 (scan 1.2.3.4, 10.0.0.3 on tcp/80)
Probe-module (tcp_synscan) Help:
Probe module that sends a TCP SYN packet to a specific port. Possible
classifications are: synack and rst. A SYN-ACK packet is considered a success
and a reset packet is considered a failed response.
Output-module (csv) Help:
By default, ZMap prints out unique, successfulIP addresses (e.g., SYN-ACK from
a TCP SYN scan) in ASCII form (e.g., 192.168.1.5) to stdout or the specified
output file. Internally this is handled by the "csv" output module and is
equivalent to running zmap --output-module=csv --output-fields=saddr
--output-filter="success = 1 && repeat = 0".