ZMap for LAN scanning (internal discovery) - Nmap fast port scanning


Server Monkey
Apr 25, 2015
North America
Firstly, we need to know the internal IP addresses being used.

There is no such thing as Nmap fast port scanning in my opinion, so here is ZMap. Why? Because other tools are faster or they would not exist and be used for whole Internet scans in place of Nmap.

We can reference bring us to RFC1918.

Code:        -  (10/8 prefix)      -  (172.16/12 prefix)     - (192.168/16 prefix)
So, let's get into our blacklist for ZMap!

nano `find /etc | grep -E 'zmap.*blacklist' | tr -d '\n'`

Comment out local addresses:


Save your config, simply save the nano edits!

Now we will scan all private IPv4 addresses for common service(s). An alternative to the editing is to use --ignore-blacklist-errors or --ignore-invalid-hosts.

cd ~
mkdir scanHosts
cd scanHosts
mkdir 10 172 192

zmap -p21 -o 172/21.list
zmap -p22 -o 172/22.list
zmap -p23 -o 172/23.list
zmap -p80 -o 172/80.list
zmap -p443 -o 172/443.list
zmap -p3389 -o 172/3389.list
cat 172/*

zmap -p21 -o 192/21.list
zmap -p22 -o 192/22.list
zmap -p23 -o 192/23.list
zmap -p80 -o 192/80.list
zmap -p443 -o 192/443.list
zmap -p3389 -o 192/3389.list
cat 192/*

zmap -p21 -o 10/21.list
zmap -p22 -o 10/22.list
zmap -p23 -o 10/23.list
zmap -p80 -o 10/80.list
zmap -p443 -o 10/443.list
zmap -p3389 -o 10/3389.list
cat 10/*
Want a final overall view?
cat */* | sort
Now we should have a quick ZMap analysis of what open ports we are dealing with. We can pass this information off from the ZMap results, and now head over to NMap for the "real scans", these were just to break the ice and find where the network is perhaps listening to us (or a honeypot listened and blocked us). From here, we can further dive into parts of a network and automatically find parts of the living network!

Keep in mind Nmap can trigger crashes (when performing service scans), Unicornscan can be useful in some cases.

The above ZMap scans completed in less than an hour, I guarantee Nmap would take forever in comparison. Is ZMap perfect? No. It may miss some things, but when you are simply trying to pick apart a network, ZMap can at least offer you other subnets to focus on. Think of it like NMap is a pistol great at close range when you know the up close host, whereas ZMap is more like hitting birds with a shotgun. Different tools for different jobs. Know all your tools and when to use them - when not.

Let's say an output from our above sort contains, now we might look at 192.168.1.* with Nmap.

nmap -p80 --unprivileged 192.168.1.*
We could write this out into an IP list much like in a prior tutorial I had put together on Nmap vs ZMap.

nmap -p80 --unprivileged 192.168.1.* -oG - | grep "/open" | awk '{ print $2 }' > wicked.list
Keep in mind, this is all focusing solely on hosts listening on port 80 (-p80), change this to 443 (HTTPS) and other service ports as needed. The main goal is to quickly find common ports to scope out the network via ZMap, then hand the smaller network pieces to Nmap for a more accurate result of listening hosts on our network. Keep in mind that tools like Wireshark allow you to find network traffic, which will show ports being actually used whereas port scanning is more about host discovery by using specialized packets (sometimes) or just checking for open ports.

The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port.
MASSCAN is another option similar to ZMap, they scan quickly due to their asynchronous nature,

Internally, it uses asynchronous transmissions, similar to port scanners like scanrand, unicornscan, and ZMap. It's more flexible, allowing arbitrary port and address ranges.
I am not hating on Nmap too much here, simply even reducing scans per their recommendation does not save much time for the scans including too many hosts. Nmap is a great tool, just not for scans with for example 1,000,000 targets.

Now in Nmap's defense, the developer(s) keep the project maintained well, with modern features like:
1. Major Nmap Scripting Engine (NSE) Expansion
As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Examples include firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal to implement port scanning in NSE. [More Details]

2. Mature IPv6 support
IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details]

3. Infrastructure Upgrades
We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using the Git version control system as a larger part of our workflow and have an official Github mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created an official bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details]

4. Faster Scans
Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details]

5. SSL/TLS scanning solution of choice
Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. The ssl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details]

6. Ncat Enhanced
We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters.

7. Extreme Portability
Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy.
Last edited: