308 lines
16 KiB
HTML
308 lines
16 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv='content-type' value='text/html;charset=utf8'>
|
|
<meta name='generator' value='Ronn/v0.7.3 (http://github.com/rtomayko/ronn/tree/0.7.3)'>
|
|
<title>zmap(1) - The Fast Internet Scanner</title>
|
|
<style type='text/css' media='all'>
|
|
/* style: man */
|
|
body#manpage {margin:0}
|
|
.mp {max-width:100ex;padding:0 9ex 1ex 4ex}
|
|
.mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
|
|
.mp h2 {margin:10px 0 0 0}
|
|
.mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
|
|
.mp h3 {margin:0 0 0 4ex}
|
|
.mp dt {margin:0;clear:left}
|
|
.mp dt.flush {float:left;width:8ex}
|
|
.mp dd {margin:0 0 0 9ex}
|
|
.mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
|
|
.mp pre {margin-bottom:20px}
|
|
.mp pre+h2,.mp pre+h3 {margin-top:22px}
|
|
.mp h2+pre,.mp h3+pre {margin-top:5px}
|
|
.mp img {display:block;margin:auto}
|
|
.mp h1.man-title {display:none}
|
|
.mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
|
|
.mp h2 {font-size:16px;line-height:1.25}
|
|
.mp h1 {font-size:20px;line-height:2}
|
|
.mp {text-align:justify;background:#fff}
|
|
.mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
|
|
.mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
|
|
.mp u {text-decoration:underline}
|
|
.mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
|
|
.mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
|
|
.mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
|
|
.mp b.man-ref {font-weight:normal;color:#434241}
|
|
.mp pre {padding:0 4ex}
|
|
.mp pre code {font-weight:normal;color:#434241}
|
|
.mp h2+pre,h3+pre {padding-left:0}
|
|
ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
|
|
ol.man-decor {width:100%}
|
|
ol.man-decor li.tl {text-align:left}
|
|
ol.man-decor li.tc {text-align:center;letter-spacing:4px}
|
|
ol.man-decor li.tr {text-align:right;float:right}
|
|
</style>
|
|
</head>
|
|
<!--
|
|
The following styles are deprecated and will be removed at some point:
|
|
div#man, div#man ol.man, div#man ol.head, div#man ol.man.
|
|
|
|
The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
|
|
.man-navigation should be used instead.
|
|
-->
|
|
<body id='manpage'>
|
|
<div class='mp' id='man'>
|
|
|
|
<div class='man-navigation' style='display:none'>
|
|
<a href="#NAME">NAME</a>
|
|
<a href="#SYNOPSIS">SYNOPSIS</a>
|
|
<a href="#DESCRIPTION">DESCRIPTION</a>
|
|
<a href="#OPTIONS">OPTIONS</a>
|
|
</div>
|
|
|
|
<ol class='man-decor man-head man head'>
|
|
<li class='tl'>zmap(1)</li>
|
|
<li class='tc'>zmap</li>
|
|
<li class='tr'>zmap(1)</li>
|
|
</ol>
|
|
|
|
<h2 id="NAME">NAME</h2>
|
|
<p class="man-name">
|
|
<code>zmap</code> - <span class="man-whatis">The Fast Internet Scanner</span>
|
|
</p>
|
|
|
|
<h2 id="SYNOPSIS">SYNOPSIS</h2>
|
|
|
|
<p>zmap [ -p <port(s)> ] [ -o <outfile> ] [ OPTIONS... ] [ ip/hostname/range ]</p>
|
|
|
|
<h2 id="DESCRIPTION">DESCRIPTION</h2>
|
|
|
|
<p><em>ZMap</em> is a network tool for scanning the entire IPv4 address space (or large
|
|
samples). ZMap is capable of scanning the entire Internet in around 45 minutes
|
|
on a gigabit network connection, reaching ~98% theoretical line speed.</p>
|
|
|
|
<h2 id="OPTIONS">OPTIONS</h2>
|
|
|
|
<h3 id="BASIC-OPTIONS">BASIC OPTIONS</h3>
|
|
|
|
<dl>
|
|
<dt> <code>ip</code>/<code>hostname</code>/<code>range</code></dt><dd><p> IP addresses or DNS hostnames to scan. Accepts IP ranges in CIDR block
|
|
notation. Defaults to 0.0.0/8</p></dd>
|
|
<dt> <code>-p</code>, <code>--target-ports=port(s)</code></dt><dd><p> List of TCP/UDP ports and/or port ranges to scan (e.g., 80,443,100-105).
|
|
Use '*' to scan all ports, including port 0.</p></dd>
|
|
<dt> <code>-o</code>, <code>--output-file=name</code></dt><dd><p> When using an output module that uses a file, write results to this file.
|
|
Use - for stdout.</p></dd>
|
|
<dt> <code>-b</code>, <code>--blocklist-file=path</code></dt><dd><p> File of subnets to exclude, in CIDR notation, one-per line. It is
|
|
recommended you use this to exclude RFC 1918 addresses, multicast, IANA
|
|
reserved space, and other IANA special-purpose addresses. An example
|
|
blocklist file <strong>blocklist.conf</strong> for this purpose.</p></dd>
|
|
<dt> <code>-w</code>, <code>--allowlist-file=path</code></dt><dd><p>File of subnets to scan, in CIDR notation, one-per line. Specifying a
|
|
allowlist file is equivalent to specifying to ranges directly on the command
|
|
line interface, but allows specifying a large number of subnets. Note:
|
|
if you are specifying a large number of individual IP addresses (more than
|
|
10 million), you should instead use <code>--list-of-ips-file</code>.</p></dd>
|
|
<dt> <code>-I</code>, <code>--list-of-ips-file=path</code></dt><dd><p>File of individual IP addresses to scan, one-per line. This feature allows you
|
|
to scan a large number of unrelated addresses. If you have a small number of IPs,
|
|
it is faster to specify these on the command
|
|
line or by using <code>--allowlist-file</code>. This should only be used when scanning more than
|
|
10 million addresses. When used in with --allowlist-path, only hosts in the intersection
|
|
of both sets will be scanned. Hosts specified here, but included in the blocklist will
|
|
be excluded.</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="SCAN-OPTIONS">SCAN OPTIONS</h3>
|
|
|
|
<dl>
|
|
<dt> <code>-r</code>, <code>--rate=pps</code></dt><dd><p> Set the send rate in packets/sec. Note: when combined with --probes, this is
|
|
total packets per second, not IPs per second. Setting the rate to 0 will scan
|
|
at full line rate. Default: 10000 pps.</p></dd>
|
|
<dt> <code>-B</code>, <code>--bandwidth=bps</code></dt><dd><p> Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B
|
|
10M for 10 mbps). This overrides the --rate flag.</p></dd>
|
|
<dt> <code>-n</code>, <code>--max-targets=n</code></dt><dd><p> Cap the number of targets to probe. This can either be a number (e.g. -n
|
|
1000) or a percentage (e.g. -n 0.1%) of the scannable address space
|
|
(after excluding blocklist)</p></dd>
|
|
<dt> <code>-N</code>, <code>--max-results=n</code></dt><dd><p> Exit after receiving this many results</p></dd>
|
|
<dt> <code>-t</code>, <code>--max-runtime=secs</code></dt><dd><p> Cap the length of time for sending packets</p></dd>
|
|
<dt> <code>-c</code>, <code>--cooldown-time=secs</code></dt><dd><p> How long to continue receiving after sending has completed (default=8)</p></dd>
|
|
<dt> <code>-e</code>, <code>--seed=n</code></dt><dd><p> Seed used to select address permutation. Use this if you want to scan
|
|
addresses in the same order for multiple ZMap runs.</p></dd>
|
|
<dt> <code>-P</code>, <code>--probes=n</code></dt><dd><p> Number of probes to send to each IP/Port pair (default=1). Since ZMap composes Ethernet
|
|
frames directly, probes can be lost en-route to destination. Increasing the
|
|
--probes increases the chance that an online host will receive a probe in an
|
|
unreliable network. This is contrasted with <code>--retries</code> which just gives the
|
|
number of attempts to send a single probe on the source NIC.</p></dd>
|
|
<dt> <code>--retries=n</code></dt><dd><p> Number of times to try resending a packet if the sendto call fails (default=10)</p></dd>
|
|
<dt> <code>--batch=n</code></dt><dd><p> Number of packets to batch before calling the appropriate syscall to send. Used
|
|
to take advantage of Linux's <code>sendmmsg</code> syscall to send the entire batch at once.
|
|
Only available on Linux, other OS's will send each packet individually. (default=64)</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="SCAN-SHARDING">SCAN SHARDING</h3>
|
|
|
|
<dl>
|
|
<dt> <code>--shards=N</code></dt><dd><p> Split the scan up into N shards/partitions among different instances of
|
|
zmap (default=1). When sharding, <strong>--seed</strong> is required.</p></dd>
|
|
<dt> <code>--shard=n</code></dt><dd><p> Set which shard to scan (default=0). Shards are 0-indexed in the range
|
|
[0, N), where N is the total number of shards. When sharding
|
|
<strong>--seed</strong> is required.</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="NETWORK-OPTIONS">NETWORK OPTIONS</h3>
|
|
|
|
<dl>
|
|
<dt> <code>-s</code>, <code>--source-port=port|range</code></dt><dd><p> Source port(s) to send packets from</p></dd>
|
|
<dt> <code>-S</code>, <code>--source-ip=ip|range</code></dt><dd><p> Source address(es) to send packets from. Either single IP or range (e.g.
|
|
10.0.0.1-10.0.0.9)</p></dd>
|
|
<dt> <code>-G</code>, <code>--gateway-mac=addr</code></dt><dd><p> Gateway MAC address to send packets to (in case auto-detection fails)</p></dd>
|
|
<dt> <code>--source-mac=addr</code></dt><dd><p> Source MAC address to send packets from (in case auto-detection fails)</p></dd>
|
|
<dt> <code>-i</code>, <code>--interface=name</code></dt><dd><p> Network interface to use</p></dd>
|
|
<dt> <code>-X</code>, <code>--iplayer</code></dt><dd><p> Send IP layer packets instead of ethernet packets (for non-Ethernet interface)</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="PROBE-OPTIONS">PROBE OPTIONS</h3>
|
|
|
|
<p>ZMap allows users to specify and write their own probe modules. Probe modules
|
|
are responsible for generating probe packets to send, and processing responses
|
|
from hosts.</p>
|
|
|
|
<dl>
|
|
<dt> <code>--list-probe-modules</code></dt><dd><p> List available probe modules (e.g. tcp_synscan)</p></dd>
|
|
<dt> <code>-M</code>, <code>--probe-module=name</code></dt><dd><p> Select probe module (default=tcp_synscan)</p></dd>
|
|
<dt> <code>--probe-args=args</code></dt><dd><p> Arguments to pass to probe module</p></dd>
|
|
<dt> <code>--probe-ttl=hops</code></dt><dd><p> Set TTL value for probe IP packets</p></dd>
|
|
<dt> <code>--list-output-fields</code></dt><dd><p> List the fields the selected probe module can send to the output module</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="OUTPUT-OPTIONS">OUTPUT OPTIONS</h3>
|
|
|
|
<p>ZMap allows users to specify and write their own output modules for use with
|
|
ZMap. Output modules are responsible for processing the fieldsets returned by
|
|
the probe module, and outputting them to the user. Users can specify output
|
|
fields, and write filters over the output fields.</p>
|
|
|
|
<dl>
|
|
<dt> <code>--list-output-modules</code></dt><dd><p> List available output modules (e.g. csv)</p></dd>
|
|
<dt> <code>-O</code>, <code>--output-module=name</code></dt><dd><p> Select output module (default=csv)</p></dd>
|
|
<dt> <code>--output-args=args</code></dt><dd><p> Arguments to pass to output module</p></dd>
|
|
<dt> <code>-f</code>, <code>--output-fields=fields</code></dt><dd><p> Comma-separated list of fields to output</p></dd>
|
|
<dt> <code>--output-filter</code></dt><dd><p> Specify an output filter over the fields defined by the probe module. See
|
|
the output filter section for more details.</p></dd>
|
|
<dt> <code>--no-header-row</code></dt><dd><p> Excludes any header rows (e.g., CSV header fields) from ZMap output. This is
|
|
useful if you're piping results into another application that expects only
|
|
data.</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="RESPONSE-DEDUPLICATION">RESPONSE DEDUPLICATION</h3>
|
|
|
|
<p>Hosts will oftentimes send multiple responses to a probe (either because the
|
|
scanner doesn't send back a RST packet or because the host has a misimplemented
|
|
TCP stack. To address this, ZMap will attempt to deduplicate responsive (ip,port)
|
|
targets.</p>
|
|
|
|
<dl>
|
|
<dt> <code>--dedup-method</code></dt><dd><p> Specifies the method ZMap will use to deduplicate responses. Options are:
|
|
full, window, and none. Full deduplication uses a 32-bit bitmap and
|
|
guarantees that no duplicates will be emitted. However, full-deduplication
|
|
requires around 500MB of memory for a single port. We do not support full
|
|
deduplication for multiple ports. Window uses a sliding window of a the last
|
|
(user-defined) number of responses as set by --dedup-window-size. None will
|
|
prevent any deduplication.</p></dd>
|
|
<dt> <code>--dedup-window-size=targets</code></dt><dd><p> Specifies the size of the sliding window of last n target responses to be
|
|
used for deduplication. Only applicable if using window deduplication.</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="LOGGING-AND-METADATA-OPTIONS">LOGGING AND METADATA OPTIONS</h3>
|
|
|
|
<dl>
|
|
<dt> <code>-q</code>, <code>--quiet</code></dt><dd><p> Do not print status updates once per second</p></dd>
|
|
<dt> <code>-v</code>, <code>--verbosity=n</code></dt><dd><p> Level of log detail (0-5, default=3)</p></dd>
|
|
<dt> <code>-l</code>, <code>--log-file=filename</code></dt><dd><p> Output file for log messages. By default, stderr.</p></dd>
|
|
<dt> <code>-m</code>, <code>--metadata-file=filename</code></dt><dd><p> Output file for scan metadata (JSON)</p></dd>
|
|
<dt> <code>-L</code>, <code>--log-directory</code></dt><dd><p> Write log entries to a timestamped file in this directory</p></dd>
|
|
<dt> <code>-u</code>, <code>--status-updates-file</code></dt><dd><p> Write scan progress updates to CSV file"</p></dd>
|
|
<dt> <code>--disable-syslog</code></dt><dd><p> Disables logging messages to syslog</p></dd>
|
|
<dt> <code>--notes</code></dt><dd><p> Inject user-specified notes into scan metadata</p></dd>
|
|
<dt> <code>--user-metadata</code></dt><dd><p> Inject user-specified JSON metadata into scan metadata</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="ADDITIONAL-OPTIONS">ADDITIONAL OPTIONS</h3>
|
|
|
|
<dl>
|
|
<dt> <code>-T</code>, <code>--sender-threads=n</code></dt><dd><p> Threads used to send packets. ZMap will attempt to detect the optimal
|
|
number of send threads based on the number of processor cores. Defaults to
|
|
min(4, number of processor cores on host - 1).</p></dd>
|
|
<dt> <code>-C</code>, <code>--config=filename</code></dt><dd><p> Read a configuration file, which can specify any other options.</p></dd>
|
|
<dt> <code>-d</code>, <code>--dryrun</code></dt><dd><p> Print out each packet to stdout instead of sending it (useful for
|
|
debugging)</p></dd>
|
|
<dt> <code>--max-sendto-failures</code></dt><dd><p> Maximum NIC sendto failures before scan is aborted</p></dd>
|
|
<dt> <code>--min-hitrate</code></dt><dd><p> Minimum hitrate that scan can hit before scan is aborted</p></dd>
|
|
<dt> <code>--cores</code></dt><dd><p> Comma-separated list of cores to pin to</p></dd>
|
|
<dt> <code>--ignore-blocklist-errors</code></dt><dd><p> Ignore invalid, malformed, or unresolvable entries in allowlist/blocklist file.
|
|
Replaces the pre-v3.x <code>--ignore-invalid-hosts</code> option.</p></dd>
|
|
<dt> <code>-h</code>, <code>--help</code></dt><dd><p> Print help and exit</p></dd>
|
|
<dt> <code>-V</code>, <code>--version</code></dt><dd><p> Print version and exit</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="OUTPUT-FILTERS">OUTPUT FILTERS</h3>
|
|
|
|
<p>Results generated by a probe module can be filtered before being passed to the
|
|
output module. Filters are defined over the output fields of a probe module.
|
|
Filters are written in a simple filtering language, similar to SQL, and are
|
|
passed to ZMap using the <code>--output-filter</code> option. Output filters are commonly
|
|
used to filter out duplicate results, or to only pass only successful responses
|
|
to the output module.</p>
|
|
|
|
<p>Filter expressions are of the form <code><fieldname> <operation> <value></code>. The type of
|
|
<code><value></code> must be either a string or unsigned integer literal, and match the type
|
|
of <code><fieldname></code>. The valid operations for integer comparisons are = !=, <var>, </var>,
|
|
<var>=, </var>=. The operations for string comparisons are =, !=. The
|
|
<code>--list-output-fields</code> flag will print what fields and types are available for
|
|
the selected probe module, and then exit.</p>
|
|
|
|
<p>Compound filter expressions may be constructed by combining filter expressions
|
|
using parenthesis to specify order of operations, the && (logical AND) and ||
|
|
(logical OR) operators.</p>
|
|
|
|
<p>For example, a filter for only successful, non-duplicate responses would be
|
|
written as: <code>--output-filter="success = 1 && repeat = 0"</code></p>
|
|
|
|
<h3 id="UDP-PROBE-MODULE-OPTIONS">UDP PROBE MODULE OPTIONS</h3>
|
|
|
|
<p>These arguments are all passed using the <code>--probe-args=args</code> option. Only one
|
|
argument may be passed at a time.</p>
|
|
|
|
<dl>
|
|
<dt> <code>file:/path/to/file</code></dt><dd><p> Path to payload file to send to each host over UDP.</p></dd>
|
|
<dt> <code>template:/path/to/template</code></dt><dd><p> Path to template file. For each destination host, the template file is
|
|
populated, set as the UDP payload, and sent.</p></dd>
|
|
<dt> <code>text:<text></code></dt><dd><p> ASCII text to send to each destination host</p></dd>
|
|
<dt> <code>hex:<hex></code></dt><dd><p>Hex-encoded binary to send to each destination host</p></dd>
|
|
<dt> <code>template-fields</code></dt><dd><p> Print information about the allowed template fields and exit.</p></dd>
|
|
</dl>
|
|
|
|
|
|
<h3 id="MID-SCAN-CHANGES">MID-SCAN CHANGES</h3>
|
|
|
|
<p>You can change the rate at which ZMap is scanning mid-scan by sending SIGUSR1 (increase)
|
|
and SIGUSR2 (decrease) signals to ZMap. These will result in the scan rate increasing or
|
|
decreasing by 5%.</p>
|
|
|
|
|
|
<ol class='man-decor man-foot man foot'>
|
|
<li class='tl'>ZMap</li>
|
|
<li class='tc'>December 2023</li>
|
|
<li class='tr'>zmap(1)</li>
|
|
</ol>
|
|
|
|
</div>
|
|
</body>
|
|
</html>
|