ZMap on hotel WiFi


Server Monkey
Apr 25, 2015
North America
You walk into some hotel and are like "Man, I wonder if this WiFi is safe?"

Time to chase the mouse, as a cat to see how fast this things runs and maybe it has a nearby hiding hole?

Start with a console entry of 'arp -a'
arp -a

Notice in the image, below Interface, we see some dynamic IP addresses starting with 10.10, this is a start. How about we find the gateway perhaps?

Another favorite command to find the gateway is really simple, passing ipconfig to find "Gate" like
ipconfig | findstr "Gate"

We can see the gateway is which means that is, well the gateway and in this specific case since it is wireless, this is the wireless gateway of some sorts.

Also sometimes useful is running tracert, this should disclose the first hop which is sometimes your default gateway and other times not.


Now that we know this information, we can go inside a VM (Linux) to easier use a terminal with ZMap for example.

From the gateway itself, we already know is how they're apparently assigning the dynamic IP addresses (arp info backs this up). A very bad @$* chart to reference for CIDR is available right here.

Anyway, the Nmap way is like so
nmap -sn -PE 10.10.*.*
You would want to write that out to a file though, so more like
nmap -sn -PE 10.10.*.* -oG pinged.txt

Well, let's charge through all this with ZMap.

zmap --probe-module=icmp_echoscan -o zmap_ping
Side-by-side comparison time using the below:
time zmap --probe-module=icmp_echoscan -o zmap_ping
time nmap -sn -PE 10.10.7.* -oG nmap_ping


What about number of results for accuracy?


I am going to rerun the same commands to check for different results?

It is hard to be certain the above results are perfect because the network is uncontrolled by me, on this WiFi - there may be people disconnecting to impact my result comparisons.

It is easy to see that accuracy of these scans is not perfect but ZMap is quicker at discovery while Nmap is more accurate.

After scratching my chin on the accuracy part, I remembered I performed a side-by-side discovery scan table over here.

Masscan came out on top, so I am going to try that and see what comes back in the morning.

My takeaway is Nmap is accurate sometimes (typically), but Masscan is freaking amazing for accuracy plus overall discovery and Unicornscan and ZMap win in the quickness department.

Altogether, here is what I am finding to be a success:
zmap -p80 -o where.txt
Cat your 'where' file, you may try running this a couple times. You could end up filtered off, might have to disconnect and spoof your mac then reconnect to try another method.

At any rate, we are getting the first time. Cool! So maybe 10.162.*.* is interesting since this goes away from our normal 10.10...

tl;dr expand you search deeper through the CIDR. Now, I am noticing when I Zmap sometimes my network activity ends up filtered out.

So, then I would wait a bit or reconnect like mentioned and try something more accurate on those like Nmap or Masscan, since Masscan is in my opinion faster and fairly accurate, I would do that next on the newly found CIDR like:
masscan -p80
You will quickly generate a list of IP addresses (w/ port 80 open) on 10.162.*.* and I am already at 66 found and seconds later I am at 115! Masscan is lightning and fairly accurate.

Since Masscan is both accurate and fast, I would also recommend getting a feel for open ports across the net:
masscan -p80 -oG web
masscan -p22 -oG ssh
masscan -p3389 -oG win
Eventually in more scanning, I find a 10.161 result! So we know they like 10.162 (minibar), 10.161 (misc so far), and apparently 10.10... is for WiFi peeps. Fair enough!

At further glance, 10.161.150.* is containing the most SSH (22) hosts.

Scanning can take time but eventually you may find out the network map (hence Nmap's name).

What tools you use makes a difference in accuracy and time. Know the tools and how to use them!

Keep in mind, this entire time I am only interested in discovery (uncovering the shadows). I have no interest in anything beyond discovering hosts on the network.

I think WiFi security is really important and "Just use a VPN" is not solution. Saying "just use a VPN" is like saying "Why didn't you just use your brakes?" - when a deer jumped in front of your car.

Just hotspot yourself over mobile (4G), and possibly use a VPN you build yourself.. w/ OpenVPN (unless you want to rebuild a whole VPN server software lol)..

Lastly, if you really just want to plow through a net and find all the most important pieces:

masscan -p22,3389
masscan -p22,3389
masscan -p22,3389

After that, you may know SSH/RDP hosts, then I'd go about checking for services like (port 80, 25, etc)! Have fun.. stay safe on any WiFi (or just do not connect on WiFi lol)..