ZMap (software)

ZMap is a free and open-source security scanner that was developed as a faster alternative to Nmap. ZMap was designed for information security research and can be used for both white hat and black hat purposes. The tool is able to discover vulnerabilities and their impact, and detect affected IoT devices.

Using one gigabit per second of network bandwidth, ZMap can scan the entire IPv4 address space in 44 minutes on a single port. With a ten gigabit connection, ZMap scan can complete a scan in under five minutes.

Operation
ZMap iterates on techniques utilized by its predecessor, Nmap, by altering the scanning method in a few key areas. Nmap sends out individual signals to each IP address and waits for a reply. As replies return, Nmap compiles them into a database to keep track of responses, a process that slows down the scanning process. In contrast, ZMap uses cyclic multiplicative groups, which allows ZMap to scan the same space roughly 1,300 times faster than Nmap. The ZMap software takes every number from 1 to 232-1 and creates an iterative formula that ensures that each of the possible 32-bit numbers is visited once in a pseudorandom order. Building the initial list of numbers for every IP address takes upfront time, but it is a fraction of what is required to aggregate a list of every sent and received probe. This process ensures that once ZMap starts sending probes out to different IPs, an accidental denial of service could not occur because an abundance of transmissions would not converge on one subnet at the same time.

ZMap also speeds up the scanning process by sending a probe to every IP address only once by default, whereas Nmap resends a probe when it detects a connection delay or fails to get a reply. This results in about 2% of IP addresses being missed during a typical scan, but when processing billions of IP address, or potential IoT devices being targeted by cyberattackers, 2% is an acceptable tolerance.

Usage
ZMap can be used for both vulnerability detection and exploitation.

The application has been used for port 443 scans to estimate power outages during Hurricane Sandy in 2013. One of the developers of ZMap, Zakir Durumeric, used his software to determine a computer's online state, vulnerabilities, operating system, and services. ZMap has also been used to detect vulnerabilities in universal plug and play devices and search for weak public keys in HTTPS website logs.