# ZMap — Fast Single-Packet Internet-Wide Network Scanner > ZMap is a fast network scanner designed for internet-wide surveys that can scan the entire IPv4 address space in under an hour on a single machine using stateless packet transmission. ## Install Save as a script file and run: # ZMap — Fast Single-Packet Internet-Wide Network Scanner ## Quick Use ```bash # Install sudo apt install zmap # Debian/Ubuntu brew install zmap # macOS # Scan a subnet for port 80 sudo zmap -p 80 192.168.1.0/24 # Scan with output to file sudo zmap -p 443 10.0.0.0/8 -o results.csv # Scan with rate limiting (10k packets/sec) sudo zmap -p 22 -r 10000 203.0.113.0/24 ``` ## Introduction ZMap is a stateless network scanner designed for large-scale network surveys. Developed at the University of Michigan, it uses a technique of sending one probe packet per target without maintaining connection state, enabling it to scan billions of addresses orders of magnitude faster than traditional tools like nmap. ## What ZMap Does - Scans large network ranges at speeds exceeding millions of packets per second on commodity hardware - Uses stateless probing to eliminate per-connection memory overhead during scanning - Supports TCP SYN, ICMP echo, UDP, and custom probe modules for different scan types - Outputs results in CSV, JSON, or Redis format for integration with analysis pipelines - Randomizes scan order cryptographically to distribute probes evenly across the target space ## Architecture Overview ZMap operates on a send/receive split architecture. The send path generates packets using a permutation-based algorithm that visits each target exactly once in pseudo-random order without maintaining a list. The receive path captures responses asynchronously via libpcap. This stateless design means memory usage is constant regardless of the number of targets — enabling internet-scale scanning from a single machine. ## Self-Hosting & Configuration - Requires root or CAP_NET_RAW capability to send raw packets - Configuration via CLI flags or a config file for default options like bandwidth and interface - Blocklist file support to exclude sensitive or reserved address ranges from scans - Output modules support direct piping to ZGrab2 for application-layer handshake completion - Rate limiting via `-r` flag prevents overwhelming network infrastructure ## Key Features - Stateless design scans the entire IPv4 space in under 45 minutes at 10Gbps - Cryptographic permutation ensures uniform random scan order without storing target lists - Modular probe architecture supports custom packet formats beyond built-in TCP/UDP/ICMP - Integration with ZGrab2 for follow-up application-layer data collection (TLS certs, HTTP banners) - Constant memory usage regardless of scan scope — no per-target state stored ## Comparison with Similar Tools - **nmap** — feature-rich but connection-stateful and slow for large ranges; ZMap trades depth for internet-scale speed - **masscan** — similar stateless approach with comparable speed; ZMap has stronger academic backing and ZGrab2 integration - **Shodan/Censys** — cloud-hosted internet scan databases; ZMap lets you run your own scans with custom probes - **Unicornscan** — asynchronous scanner but less maintained and slower than ZMap at scale ## FAQ **Q: Is it legal to use ZMap?** A: Running ZMap is legal in most jurisdictions, but scanning networks you do not own may violate terms of service. Always use blocklists and scan responsibly. **Q: How much bandwidth does a full IPv4 scan consume?** A: At the default rate, a full scan takes several hours. At 1Gbps, it completes in about 45 minutes. Adjust with `-B` (bandwidth) or `-r` (rate). **Q: Can ZMap detect which services are running on open ports?** A: ZMap only identifies open ports. Use ZGrab2 as a follow-up tool to perform application-layer handshakes and banner grabbing. **Q: Does ZMap support IPv6 scanning?** A: ZMap primarily targets IPv4. The IPv6 address space is too large for brute-force enumeration, requiring different approaches. ## Sources - https://github.com/zmap/zmap - https://zmap.io/ --- Source: https://tokrepo.com/en/workflows/asset-3e8b5b7c Author: Script Depot