Nmap vs ZMap

[Asphyxia]

Looking for port 80 on a specific subnet?

nmap -p80 --unprivileged 172.22.1.0/24
zmap -p80 172.22.1.0/24

Write your IP list:

nmap -p80 --unprivileged 172.22.1.0/24 -oG - | grep "/open" | awk '{ print $2 }' > wicked.list
zmap -p80 172.22.1.0/24 -o wicked.list

I find that sometimes, if you do not use --unprivileged, everything can report back as open within Nmap.

Find some random servers with port 80 open:

nmap -p 80 -iR 100 -oG - | grep "/open" | awk '{ print $2 }' > wicked.list
zmap -p 80 -N 100 -o wicked.list

The main difference here is Nmap does not (to my knowledge) have a built-in way to continue scanning until it finds X# of hosts listening on a certain port. For example, with the Nmap method you may find 5 hosts listening on port 80 by scanning 100 random hosts. ZMap outperforms here, by allowing -N 100, to keep scanning until 100 hosts listening on 80 are scanned. If you want to continuously scan with Nmap to discover hosts listening on 80, you would need to add 0 to iR e.g. nmap -Pn -sS -p 80 -iR 0

As we know, simply having port 80 does not mean a server is there so how about we perform service discovery against our list(s)?

nmap -p80 -sV -iL wicked.list

.. that is all for today, might add more later.

ZMap would have to use something else like ZGrab (or wget), something to check http status codes or server info etc.

 

[NatureNMoon]

I prefer using NMAP rather than the others!

 

[Asphyxia]

I prefer using NMAP rather than the others!

Nmap can certainly be useful but as detailed over here on scanning your LAN quickly: https://r4p3.net/threads/zmap-for-l...very-nmap-fast-port-scanning.8018/#post-71883

There simply is a massive speed advantage ZMap and other faster scanners like MASSCAN and Unicornscan have. When you have to clear through over 2,000,000 IP addresses to "break the ice" on a network, Nmap is just going to take too damn long.

Think of Zmap like an icebreaker:


And.. Nmap is like your friendly polar bear:


They are both pretty damn awesome, just do different things in different cases.

Why? Projects like MASSCAN and Zmap use asynchronous transmission, which means they do not have to wait for replies before sending probes.

Asynchronous transmission means the scanner doesn't have to wait for replies before sending out probes. masscan was created for the sole purpose of scanning the entire internet as fast as possible, according to its author Robert Graham, this can be done in less than 6 minutes at around 10 million packets per second.

Nmap likes to crawl with great accuracy but like a cute polar bear can slip off ice and take a long time to get somewhere. Both are very useful for different approaches. ZMap is more "spray and pray" while Nmap is more "target in rifle scope".

Want an idea how many hosts you may be scanning through to scope out a network?

10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

Total hosts: 16,777,216 + 1,048,576 + 65,536 = 17891328

There is the quick math I came up with. Assuming the network is using the common CIDR blocks like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 ... you can expect to find some hosts in no time with ZMap listening on common ports like 80, 22, and other top targets for attacks. Once you get your list, you can try service detection with Nmap but even then Nmap can be slow there, has triggered router crashes in the past reportedly, and simply Unicornscan could be a safer replacement. In my opinion, use ZMap for discovery and finish more thorough discovery by scanning closer to discovered hosts with Unicornscan - finish off with a more thorough service scan on live hosts. You are basically playing the game Hasbro Battleship. Depending on how much noise you are allowed to make on the network, this should be okay to start with!