ZMap (software)

Last updated
ZMap
Original author(s) University of Michigan [1]
Developer(s) The ZMap Team [1]
Initial releaseAugust 16, 2013;10 years ago (2013-08-16) [2]
Stable release
3.0.0 / June 23, 2023;6 months ago (2023-06-23) [2]
Repository github.com/zmap/zmap
Written in C [2]
Operating system Cross-platform
Available in English
Type computer security, network management
License Apache License 2.0 [2]
Website zmap.io

ZMap is a free and open-source security scanner that was developed as a faster alternative to Nmap. ZMap was designed for information security research and can be used for both white hat and black hat purposes. The tool is able to discover vulnerabilities and their impact, and detect affected IoT devices.

Contents

Using one gigabit per second of network bandwidth, ZMap can scan the entire IPv4 address space in 44 minutes on a single port. [3] With a ten gigabit connection, ZMap scan can complete a scan in under five minutes. [4]

Operation

ZMap architecture Zmap.jpg
ZMap architecture

ZMap iterates on techniques utilized by its predecessor, Nmap, by altering the scanning method in a few key areas. Nmap sends out individual signals to each IP address and waits for a reply. As replies return, Nmap compiles them into a database to keep track of responses, a process that slows down the scanning process. In contrast, ZMap uses cyclic multiplicative groups, which allows ZMap to scan the same space roughly 1,300 times faster than Nmap. [6] The ZMap software takes every number from 1 to 232-1 and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order. [3] Building the initial list of numbers for every IP address takes upfront time, but it is a fraction of what is required to aggregate a list of every sent and received probe. This process ensures that once ZMap starts sending probes out to different IPs, an accidental denial of service could not occur because an abundance of transmissions would not converge on one subnet at the same time. [7]

ZMap also speeds up the scanning process by sending a probe to every IP address only once by default, whereas Nmap resends a probe when it detects a connection delay or fails to get a reply. [8] This results in about 2% of IP addresses being missed during a typical scan, but when processing billions of IP address, or potential IoT devices being targeted by cyberattackers, 2% is an acceptable tolerance. [5]

Usage

ZMap can be used for both vulnerability detection and exploitation. [9] [6]

The application has been used for port 443 scans to estimate power outages during Hurricane Sandy in 2013. [5] One of the developers of ZMap, Zakir Durumeric, used his software to determine a computer's online state, vulnerabilities, operating system, and services. [10] [11] ZMap has also been used to detect vulnerabilities in universal plug and play devices and search for weak public keys in HTTPS website logs. [12]

See also

Related Research Articles

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. It is a protocol for bidirectional 8-bit communications. Its main goal was to connect terminal devices and terminal-oriented processes.

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS ; provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.

<span class="mw-page-title-main">Nmap</span> Network scanner

Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.

A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.

<span class="mw-page-title-main">AVG AntiVirus</span> Antivirus computer program

AVG AntiVirus is a line of antivirus software developed by AVG Technologies, a subsidiary of Avast, a part of Gen Digital. It is available for Windows, macOS and Android.

Security Administrator Tool for Analyzing Networks (SATAN) was a free software vulnerability scanner for analyzing networked computers. SATAN captured the attention of a broad technical audience, appearing in PC Magazine and drawing threats from the United States Department of Justice. It featured a web interface, complete with forms to enter targets, tables to display results, and context-sensitive tutorials that appeared when a vulnerability had been found.

<span class="mw-page-title-main">Bulletproof hosting</span> Internet service for use by cyber-criminals

Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks. BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas, allowing such material in their acceptable use policies.

OpenVAS is the scanner component of Greenbone Vulnerability Management (GVM), a software framework of several services and tools offering vulnerability scanning and vulnerability management.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

A network telescope is an Internet system that allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network. Since all traffic to these addresses is suspicious, one can gain information about possible network attacks as well as other misconfigurations by observing it.

On computer networks, a service scan identifies the available network services by attempting to initiate many sessions to different applications with each device in a target group of devices. This is done by sending session initiation packets for many different applications to open ports on all of the devices specified in the target group of devices. This scan is done across a wide range of TCP, UDP. A service scanner will identify each device it finds along with the services that it finds on the ports that it scans.

<span class="mw-page-title-main">Idle scan</span>

An idle scan is a TCP port scan method for determining what services are open on a target computer without leaving traces pointing back at oneself. This is accomplished by using packet spoofing to impersonate another computer so that the target believes it's being accessed by the zombie. The target will respond in different ways depending on whether the port is open, which can in turn be detected by querying the zombie.

SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.

A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a fingerprinting algorithm. A browser fingerprint is information collected specifically by interaction with the web browser of the device.

<span class="mw-page-title-main">Malwarebytes (software)</span> Anti-malware software

Malwarebytes is anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. This is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system runs on them. Network enumeration is the discovery of hosts or devices on a network. Network enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the operating system of the remote host.

Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015. The discoverers were able to demonstrate their attack on 512-bit DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.

<span class="mw-page-title-main">J. Alex Halderman</span> American computer scientist

J. Alex Halderman is professor of computer science and engineering at the University of Michigan, where he is also director of the Center for Computer Security & Society. Halderman's research focuses on computer security and privacy, with an emphasis on problems that broadly impact society and public policy.

References

  1. 1 2 "About the Project". The ZMap Project. Retrieved 10 Aug 2018.
  2. 1 2 3 4 "GitHub - zmap/zmap". GitHub. 2 Jul 2018. Retrieved 10 Aug 2018.
  3. 1 2 Ducklin, Paul (20 Aug 2013). "Welcome to Zmap, the "one hour turnaround" internet scanner". Sophos. Retrieved 10 Aug 2018.
  4. Adrian, David (2014). "Zippier ZMap: Internet-Wide Scanning at 10 Gbps" (PDF). USENIX Workshop on Offensive Technologies.
  5. 1 2 3 Durumeric, Zakir; Wustrow, Eric; Halderman, J. Alex (Aug 2013). "ZMap: Fast Internet-Wide Scanning and its Security Applications" (PDF). Retrieved 9 Aug 2018.
  6. 1 2 De Santis, Giulia (2018). Modeling and Recognizing Network Scanning Activities with Finite Mixture Models and Hidden Markov Models (PDF). Université de Lorraine.
  7. Berko, Lex (19 Aug 2013). "Now You Can Scan the Entire Internet in Under an Hour". Motherboard. Retrieved 10 Aug 2018.
  8. De Santis, Giulia; Lahmadi, Abdelkader; Francois, Jerome; Festor, Olivier (2016). "Modeling of IP Scanning Activities with Hidden Markov Models: Darknet Case Study". 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). pp. 1–5. doi:10.1109/NTMS.2016.7792461. ISBN   978-1-5090-2914-3. S2CID   12786563.
  9. Durumeric, Zakir; Adrian, David; Mirian, Ariana; Bailey, Michael; Halderman, J. Alex (2015). "A Search Engine Backed by Internet-Wide Scanning". Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15 (PDF). pp. 542–553. doi:10.1145/2810103.2813703. ISBN   9781450338325. S2CID   9808635.
  10. Lee, Seungwoon; Im, Sun-Young; Shin, Seung-Hun; Roh, Byeong-hee; Lee, Cheolho (2016). "Implementation and vulnerability test of stealth port scanning attacks using ZMap of censys engine". 2016 International Conference on Information and Communication Technology Convergence (ICTC). pp. 681–683. doi:10.1109/ICTC.2016.7763561. ISBN   978-1-5090-1325-8. S2CID   13876287.
  11. De Santis, Giulia; Lahmadi, Abdelkader; François, Jérôme; Festor, Olivier. "Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models". 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE: 1–5.
  12. Arzhakov, Anton V; Babalova, Irina F (2017). "Analysis of current internet wide scan effectiveness". 2017 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EICon Rus). pp. 96–99. doi:10.1109/EIConRus.2017.7910503. ISBN   978-1-5090-4865-6. S2CID   44797603.