123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 |
- zmap(1) - The Fast Internet Scanner
- ===================================
- ## SYNOPSIS
- zmap [ -p <port> ] [ -o <outfile> ] [ OPTIONS... ] [ ip/hostname/range ]
- ## DESCRIPTION
- *ZMap* is a network tool for scanning the entire Internet (or large samples).
- ZMap is capable of scanning the entire Internet in around 45 minutes on a
- gigabit network connection, reaching ~98% theoretical line speed.
- ## OPTIONS
- ### BASIC OPTIONS ###
- * `ip`/`hostname`/`range`:
- IP addresses or DNS hostnames to scan. Accepts IP ranges in CIDR block
- notation. Defaults to 0.0.0/8
- * `-p`, `--target-port=port`:
- TCP or UDP port number to scan (for SYN scans and basic UDP scans)
- * `-o`, `--output-file=name`:
- When using an output module that uses a file, write results to this file.
- Use - for stdout.
- * `-b`, `--blacklist-file=path`:
- File of subnets to exclude, in CIDR notation, one-per line. It is
- recommended you use this to exclude RFC 1918 addresses, multicast, IANA
- reserved space, and other IANA special-purpose addresses. An example
- blacklist file **blacklist.conf** for this purpose.
- ### SCAN OPTIONS ###
- * `-n`, `--max-targets=n`:
- Cap the number of targets to probe. This can either be a number (e.g. -n
- 1000) or a percentage (e.g. -n 0.1%) of the scannable address space
- (after excluding blacklist)
- * `-N`, `--max-results=n`:
- Exit after receiving this many results
- * `-t`, `--max-runtime=secs`:
- Cap the length of time for sending packets
- * `-r`, `--rate=pps`:
- Set the send rate in packets/sec
- * `-B`, `--bandwidth=bps`:
- Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B
- 10M for 10 mbps). Thi s overrides the --rate flag.
- * `-c`, `--cooldown-time=secs`:
- How long to continue receiving after sending has completed (default=8)
- * `-e`, `--seed=n`:
- Seed used to select address permutation. Use this if you want to scan
- addresses in the same order for multiple ZMap runs.
- * `--shards=N`:
- Split the scan up into N shards/partitions among different instances of
- zmap (default=1). When sharding, **--seed** is required.
- * `--shard=n`:
- Set which shard to scan (default=0). Shards are 0-indexed in the range
- [0, N), where N is the total number of shards. When sharding
- **--seed** is required.
- * `-T`, `--sender-threads=n`:
- Threads used to send packets. ZMap will attempt to detect the optimal
- number of send threads based on the number of processor cores.
- * `-P`, `--probes=n`:
- Number of probes to send to each IP (default=1)
- * `-d`, `--dryrun`:
- Print out each packet to stdout instead of sending it (useful for
- debugging)
- ### NETWORK OPTIONS ###
- * `-s`, `--source-port=port|range`:
- Source port(s) to send packets from
- * `-S`, `--source-ip=ip|range`:
- Source address(es) to send packets from. Either single IP or range (e.g.
- 10.0.0.1-10.0.0.9)
- * `-G`, `--gateway-mac=addr`:
- Gateway MAC address to send packets to (in case auto-detection does not
- work)
- * `-i`, `--interface=name`:
- Network interface to use
- ### PROBE OPTIONS ###
- ZMap allows users to specify and write their own probe modules. Probe modules
- are responsible for generating probe packets to send, and processing responses
- from hosts.
- * `--list-probe-modules`:
- List available probe modules (e.g. tcp_synscan)
- * `-M`, `--probe-module=name`:
- Select probe module (default=tcp_synscan)
- * `--probe-args=args`:
- Arguments to pass to probe module
- * `--list-output-fields`:
- List the fields the selected probe module can send to the output module
- ### OUTPUT OPTIONS ###
- ZMap allows users to specify and write their own output modules for use with
- ZMap. Output modules are responsible for processing the fieldsets returned by
- the probe module, and outputing them to the user. Users can specify output
- fields, and write filters over the output fields.
- * `--list-output-modules`:
- List available output modules (e.g. tcp_synscan)
- * `-O`, `--output-module=name`:
- Select output module (default=csv)
- * `--output-args=args`:
- Arguments to pass to output module
- * `-f`, `--output-fields=fields`:
- Comma-separated list of fields to output
- * `--output-filter`:
- Specify an output filter over the fields defined by the probe module. See
- the output filter section for more details.
- ### ADDITIONAL OPTIONS ###
- * `-C`, `--config=filename`:
- Read a configuration file, which can specify any other options.
- * `-q`, `--quiet`:
- Do not print status updates once per second
- * `-g`, `--summary`:
- Print configuration and summary of results at the end of the scan
- * `-v`, `--verbosity=n`:
- Level of log detail (0-5, default=3)
- * `-h`, `--help`:
- Print help and exit
- * `-V`, `--version`:
- Print version and exit
- ### UDP PROBE MODULE OPTIONS ###
- These arguments are all passed using the `--probe-args=args` option. Only one
- argument may be passed at a time.
- * `file:/path/to/file`:
- Path to payload file to send to each host over UDP.
- * `template:/path/to/template`:
- Path to template file. For each destination host, the template file is
- populated, set as the UDP payload, and sent.
- * `text:<text>`:
- ASCII text to send to each destination host
- * `hex:<hex>`:
- Hex-encoded binary to send to each destination host
- * `template-fields`:
- Print information about the allowed template fields and exit.
- ### OUPUT FILTERS ###
- Results generated by a probe module can be filtered before being passed to the
- output module. Filters are defined over the output fields of a probe module.
- Filters are written in a simple filtering language, similar to SQL, and are
- passed to ZMap using the `--output-filter` option. Output filters are commonly
- used to filter out duplicate results, or to only pass only sucessful responses
- to the output module.
- Filter expressions are of the form `<fieldname> <operation> <value>`. The type of
- `<value>` must be either a string or unsigned integer literal, and match the type
- of `<fieldname>`. The valid operations for integer comparisons are = !=, <, >,
- <=, >=. The operations for string comparisons are =, !=. The
- `--list-output-fields` flag will print what fields and types are available for
- the selected probe module, and then exit.
- Compound filter expressions may be constructed by combining filter expressions
- using parenthesis to specify order of operations, the && (logical AND) and ||
- (logical OR) operators.
- For example, a filter for only successful, non-duplicate responses would be
- written as: `--output-filter="success = 1 && repeat = 0"`
|