ZMap on Ubuntu

Jackbox

Active Member
Jan 2, 2016
197
96
74
I am assuming you are using the latest version of Ubuntu preferably on a reliable host like Vultr. Keep in mind ZMap is not the only solution, check the GitHub. While you could use Nmap, you will find ZMap is significantly much faster. You may even parse certificates.

Firstly, keep your system updated.
apt update && apt upgrade -y

Second comes ZMap and a dependency for ZGrab 2.0 as documented at ZMap's GitHub. Getting ZGrab2 downloaded may take a minute or so. Now we should set GOPATH!
apt install golang-go make zmap -y && go get github.com/zmap/zgrab2 gopkg.in/mgo.v2 && export GOPATH=$(go env GOPATH)

We are ready to make!
cd $GOPATH/src/github.com/zmap/zgrab2 && make

We are now ready to go! If all went well, you should have zgrab2 at:
~/go/src/github.com/zmap/zgrab2/zgrab2

---

Just a friendly disclaimer, I am not responsible for misuse of this information. Only run authorized legal scans. Blah blah :cool: ... also before you run ZMap read this.

Find 10 IPs in the world listening on port 80 with
zmap -p 80 -N 10

Find 10 IPs in the world listening on port 22 with
zmap -p 22 -N 10

Time to write out IP results to a file now,
zmap -p 22 -N 10 -o maybeSSH.csv
... but does an open port 22 actually mean SSH?

Keep in mind, anyone can open any port for any reason such as for honeypot purposes.

Not sure about you but I don't want to have to type ~/go/src... every damn time I want zgrab.
ln -s ~/go/src/github.com/zmap/zgrab2/zgrab2 /usr/bin/zgrab
If you get zgrab: command not found, you just need to run the above command after following top 3 codes to install ZGrab.

root@ting-helicopter-blades:/# zgrab --help
Usage:
zgrab [OPTIONS] <command>

Application Options:
-o, --output-file= Output filename, use - for stdout (default: -)
-f, --input-file= Input filename, use - for stdin (default: -)
-m, --metadata-file= Metadata filename, use - for stderr (default: -)
-l, --log-file= Log filename, use - for stderr (default: -)
-i, --interface= Network interface to send on
-s, --senders= Number of send goroutines to use (default: 1000)
--debug Include debug fields in the output.
--gomaxprocs= Set GOMAXPROCS (default: 0)
--connections-per-host= Number of times to connect to each host (results in more output) (default: 1)
--read-limit-per-host= Maximum total kilobytes to read for a single host (default 96kb) (default: 96)
--prometheus= Address to use for Prometheus server (e.g. localhost:8080). If empty, Prometheus is disabled.

Help Options:
-h, --help Show this help message

Available commands:
bacnet bacnet
dnp3 dnp3
fox fox
ftp FTP
http HTTP Banner Grab
imap imap
ipp ipp
modbus modbus
mongodb mongodb
mssql MSSQL
multiple Multiple module actions
mysql MySQL
ntp NTP
oracle oracle
pop3 pop3
postgres Postgres
redis redis
siemens siemens
smb smb
smtp smtp
ssh SSH Banner Grab
telnet telnet
tls TLS Banner Grab

Few ways to make use of our maybeSSH.csv file now!
cat the IP list and pipe over,
cat maybeSSH.csv | zgrab ssh -o banners.json

We grep our banners file for software version using
cat banners.json | grep "software\":"

There are better ways to do some of this, I am just going quick for demonstration - like we could parse the json and handle this data more neatly.

But isn't there a better way to perform all this together? Yes!

We can pipe these ZMap tools together like this,
zmap -p 22 -N 10 | ztee maybeSSH.csv | zgrab ssh -o banners.json

Wow that works nicely. Good luck, have fun and most importantly do not be stupid and harm no one.

Eventually you may think about "What about websites," in your beautiful mind.
zmap -p 80 -N 100 | ztee maybeSSH.csv | zgrab http --timeout 3 -o banners.json

The above has a timeout set to 3 seconds. The last thing you want is your zgrab to sit there for the default 10s (ten seconds is a fucking long time).
Want all your http module options for ZGrab?
zgrab http --help

How about SSH?
zgrab ssh --help

Here are all the default modules.
bacnet, dnp3, fox, ftp, http, imap, ipp, modbus, mongodb, mssql, multiple, mysql, ntp, oracle, pop3, postgres, redis, siemens, smb, smtp, ssh, telnet or tls

You can even launch multiple scans using a config file.
1803

Go ahead and get into a directory in your home.
MKWTR=~/`date +%s` && mkdir $MKWTR && cd $MKWTR

Time for nano!
nano conf.ini

Paste this into your config
Code:
[Application Options]
output-file="banner.json"
[http]
output-file="80.json"
name="http80"
port=80
endpoint="/"
[http]
output-file="8080.json"
name="http8080"
port=8080
endpoint="/"
[ssh]
output-file="22.json"
port=22

Now how about we run that multiple scan?
zmap -p 80 -N 5 | ztee multiZGrab.csv | zgrab multiple -c conf.ini -o banner.json
 
Last edited:

tagKnife

Well-Known Member
Oct 2, 2015
343
270
146
I used zmap to scan for heartbeed vuln servers back in the day. Its a really good tool and they do a weekly internet census here: https://censys.io/

No need to scan the internet your self just search there.
 

Jackbox

Active Member
Jan 2, 2016
197
96
74
No need to scan the internet
While I partially agree, it’s the difference between using a free booter service and making your own botnet. Censys was built from ZMap and Zgrab. I wanted to show people how to discovery scan, not type in a search box. :)

Also keep in mind some hosts just block Censys and Shodan while another scan looking ONLY at port 80 may not hang on a honeypot. ;)
 
Top