How to scan whole Internet 3.7 billion IP addresses in few minutes?

2024-05-31 01:38

本文主要是介绍How to scan whole Internet 3.7 billion IP addresses in few minutes?,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

Cyber security audit and ethical hacking training professionals normally use scanner to scans the networks. Scanning every IP address on the internet isn’t an easy job, and if you don’t have the resources of a botnet, a single scan can take months. If you want to take snapshots of the internet it will be very difficult, because doing a network scan of the whole thing has typically taken weeks or months to complete. However this is now possible explains cyber security services expert with the help of new tools like ZMap Masscan and other tools. In this article we will be covering different advance port scanning tools.

Zmap

ZMap is designed to execute widespread scans of the IPv4 address space or large portions of it. It is a very powerful tool for cyber security services researchers, and you can scan the entire IPv4 address space by using its high rate of 1.4 million packets per second. ZMap can’t replace general-purpose mappers like Nmap, which is excellent for scanning sub-networks in depth. ZMap is intended to do a shallow scan - typically of a single port or service - of the entire internet, or at least the IPv4 internet, from a single, dedicated computer, in under an hour. Ame Wilson, cyber security audit services consultant mentions that ZMap is proficient of scanning the IPv4 public address space over 1300 times faster than the Nmap.
ZMap is able to work so fast because it uses cyclic multiplicative groups. ZMap has been designed to achieve parallelism and performance. First, ZMap is completely stateless, which means that it does not maintain status per connection. In place of maintaining a big list of probes it’s sent, and the time they’ve been out there, and how much longer it should wait for each one, and thoroughly updating the list with every acknowledged response, ZMap just use cyclic multiplicative group to avoid all this explains Ame Wilson, cyber security audit services consultant.
Second, ZMap sends in parallel as many probes as the network bandwidth permits, in order to attain the maximum rate possible. Normally all the probes are sent in a pseudo-random order, so that’s if lot of people do scan together there is no DDOS attack, this way the probability to overload a single network is greatly reduced. Although each successive probe follows a strict algorithmic sequence, the IP numbers randomly bounce around the IPv4 address space. Thus, we don’t get thousands of probes delivered in on a single subnet at the same time.

Because of these reasons with ZMap we can scan about 3.7 billion addresses available for use in IPv4 addresses, in an hour thus ZMap really can crawl across the entire internet.

By default, ZMap will execute a TCP SYN scan on the particular port at the maximum rate possible. A more different configuration will be to scan 10,000 random addresses on port 80 at a maximum 10 Mbps and can be run as follows:

$ ZMap --bandwidth=10M --target-port=80 --max-targets=10000 --output-file=results.csv

You can also use ZMap to scan specific subnets or CIDR blocks. For instance, to scan only 10.0.0.0/8 and 192.168.0.0/16 on port 80, run:

$ ZMap -p 80 -o results.csv 10.0.0.0/8 192.168.0.0/16

As per cyber security services expert, normally when we use ZMap, it will deliver a list of distinct IP addresses that answered successfully (e.g. with a SYN ACK packet). Also it is recommended to use a blacklist file, with which you can exclude both reserved/unallocated IP space (e.g. multicast, RFC1918), as well as companies or military networks that should be excluded from your scans. By default, ZMap will employ a simple blacklist file having reserved and unallocated addresses and this file can be found in /etc/ZMap/blacklist.conf.

MASSCAN: Mass IP port scanner

Masscan is one of the fastest Internet port scanner as it can scan the all the IP’s of the Internet in less than 6 minutes, while transmitting 10 million packets per second mentions ethical hacking training professor. It produces output similar to Nmap and employs asynchronous transmission. The only big difference is that Masscan is faster than these other scanners. Also, it’s more flexible, allowing arbitrary address ranges and port ranges. Masscan uses a its own custom TCP/IP stack which means anything other than simple port scans will cause inconsistency with the local TCP/IP stack. This means we should either use the -S option to use a separate IP address, or configure your operating system to firewall the ports that Masscan uses.

While Linux is the primary platform on which Masscan works, the code runs well on many other operating systems like:

• Windows w/ Visual Studio
• Windows w/ MingGW
• Windows w/ cygwin
• Mac OS X /w XCode
• Mac OS X /w cmdline
• FreeBSD

To reach beyond two million packets per second, we need an Intel 10-gbps Ethernet adapter and a special driver called as “PF_RING DNA”. Masscan doesn’t need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:

• libpfring.so (installed in /usr/lib/libpfring.so)
• pf_ring.ko (their kernel driver)
• ixgbe.ko (their version of the Intel 10-gbps Ethernet driver)

Masscan can be used to for different purposes than just detect whether ports are open as per cyber security services experts. It can also be used to complete the TCP connection and interaction with the application at that port in order to grab simple “banner” information. The trouble with this is that Masscan contains its own custom TCP/IP stack separate from the operating system you run it on. When the local system accepts a SYN-ACK from the probed target machines, it replys with a RST packet that kills the connection before Masscan can grab the banner. The easiest way to stop this is to allocate Masscan a separate IP address.

How to scan the entire Internet

The software is designed really with the entire Internet, while it is also very useful for smaller, internal networks. When you run it for the internet, it might look something like this:

# masscan 0.0.0.0/0 -p0-65535

It is very bad to scan the entire Internet. For one thing, some organizations of the Internet react badly to being scanned. For another thing, some websites track scans and can add you to a blacklist, which will get you, firewalled from useful websites of the Internet. Therefore, it sis suggested to exclude a lot of IP ranges. To exclude IP ranges, you want to use the following syntax:

# masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt 

Scanrand

Scanrand is a high speed port scanner, route-tracer and very efficient in scanning explains ethical hacking training professor of international institute o cyber security. It is a fast network scanner that can scan single hosts to very large networks easily. Scanrand supports what is called stateless TCP scanning, which sets it apart from the other network scanners. Scanrand takes a different approach than the typical network scanner and implements more of a, ‘fire and forget’ ideology using little math.

Scanrand divides itself up into two processes. One process is accountable for doing nothing but sending out SYN packets using libnet. The other process is accountable for getting the responses from the remote computers using libpcap. One significant thing to note here is that these processes work separately. There is no consulting with the other process. Scanrand stores a list of IP addresses it is expecting a response from and the sending process does not wait for a response at all. It fires off a SYN, and then moves on to the next target leaving the receiving process to sort out the inundation of responses.

Unicornscan

Unicornscan is an open source (GPL) tool and intended to assist with information gathering and security auditing. As we all know that Nmap sets the standard for port scanning on both windows and UNIX systems. Nevertheless full range UDP and TCP port scans (65k ports) take a long time to finish. Unicornscan resolves this problem and excels at speed. Unicornscan is an asynchronous stateless port scanner that implements its own TCP/IP stack. Unicornscan passes the ports that are found to Nmap and/or Amap for further analysis.

Scanning Best Practices

Cyber security audit services experts offer these advices for researchers performing Internet-wide scans as guidelines for good Internet citizenship.

• Organize closely with local network administrators to diminish the risks and handle inquiries.
• Authenticate that scans will not overload the local network or upstream provider.
• Indicate the nature of the scans in web pages and DNS entries of the source addresses.
• Plainly explain the reason and scope of the scans in all interactions.
• Provide a simple form of opting out and honor requests promptly.
• Perform scans no larger or more frequent than is necessary for research objectives.
• Distribute scan traffic over time or source addresses when feasible.

It should go without saying that scan researchers should abstain from exploiting vulnerabilities or accessing protected resources, and should comply with any special legal requirements in their jurisdictions.

Security concerns and ethical problems

As usual, the capacity to almost instantly find out computers and networks that have un-patched security vulnerabilities can be a good thing for researchers, but it can be used for evil gain by the hackers out there. These are for sure great tools and will doubtless be accepted by many researchers. However, such potent Internet scanners can be used by hackers for malicious behavior such as vulnerability detection and exploitation. The only thing a hacker needs is a potent machine and a network with a high upload speed. Nowadays, these requirements can be easily fulfilled by a cloud virtual machine. The presence of these tools proves also that the time window between the presence of detection of vulnerability and its detection by hackers is getting shorter day by day. For this reason, it is important to properly secure your own infrastructure and protect personal/business data.
Ethical hacking training professor advices that these tools should be tools should be used cautiously without invading someone else’s privacy as anybody can use them.


  • masscan VS zmap VS unicornscan VS scanrand

http://www.iicybersecurity.com/internet-port-scanner.html

  • masscan
    https://github.com/robertdavidgraham/masscan
    http://tools.kali.org/information-gathering/masscan

  • zmap
    https://github.com/zmap/zmap/
    https://zmap.io/paper.pdf

这篇关于How to scan whole Internet 3.7 billion IP addresses in few minutes?的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1017209

相关文章

2024.9.8 TCP/IP协议学习笔记

1.所谓的层就是数据交换的深度,电脑点对点就是单层,物理层,加上集线器还是物理层,加上交换机就变成链路层了,有地址表,路由器就到了第三层网络层,每个端口都有一个mac地址 2.A 给 C 发数据包,怎么知道是否要通过路由器转发呢?答案:子网 3.将源 IP 与目的 IP 分别同这个子网掩码进行与运算****,相等则是在一个子网,不相等就是在不同子网 4.A 如何知道,哪个设备是路由器?答案:在 A

linux下查看自己的外网ip

局域网的服务器是通过ADSL路由器连接外网的,但ADSL是从ISP运营商那儿通过动态获得IP的,那么我怎么知道自己的外网地址是多少呢? 今天得到几个办法: curl -s http://whatismyip.org wget http://whatismyip.org 然后再  cat index.html 也可以看到

linux下TCP/IP实现简单聊天程序

可以在同一台电脑上运行,在一个终端上运行服务器端,在一个终端上运行客户端。 服务器端的IP地址要和本地的IP相同,并分配端口号,客户端的默认设置为本地,端口号自动分配。 服务器端: #include <stdio.h>#include <stdlib.h>#include <errno.h>#include <string.h>#include <sys/types.

Hbase Filter+Scan 查询效率优化

Hbase Filter+Scan 查询效率问题 众所周知,Hbase利用filter过滤器查询时候会进行全表扫描,查询效率低下,如果没有二级索引,在项目中很多情况需要利用filter,下面针对这种情况尝试了几种优化的方案,仅供参考,欢迎交流。 根据业务要求,作者需要根据时间范围搜索所需要的数据,所以作者设计的rowKey是以时间戳为起始字符串的。 正确尝试: 1.scan 设置 开始行和结

超越IP-Adapter!阿里提出UniPortrait,可通过文本定制生成高保真的单人或多人图像。

阿里提出UniPortrait,能根据用户提供的文本描述,快速生成既忠实于原图又能灵活调整的个性化人像,用户甚至可以通过简单的句子来描述多个不同的人物,而不需要一一指定每个人的位置。这种设计大大简化了用户的操作,提升了个性化生成的效率和效果。 UniPortrait以统一的方式定制单 ID 和多 ID 图像,提供高保真身份保存、广泛的面部可编辑性、自由格式的文本描述,并且无需预先确定的布局。

C# 如何同时Ping多个IP地址

在C#中,如果需要同时ping多个IP地址,可以采用多线程或异步编程的方式来实现,以便可以同时进行多个ping操作。以下是两种常用的方法: 方法一:使用多线程(Task 或 Thread) 使用Task是更现代和推荐的方式,因为它内置了更好的线程管理和异常处理机制。以下是一个使用Task的示例,展示如何同时ping多个IP地址: using System; using System.Co

JAVAEE初阶第七节(中)——物理原理与TCP_IP

系列文章目录 JAVAEE初阶第七节(中)——物理原理与TCP_IP 文章目录 系列文章目录JAVAEE初阶第七节(中)——物理原理与TCP_IP 一.应用层重点协议)1. DNS2 .NAT3. NAT IP转换过程 4 .NAPT5. NAT技术的缺陷6. HTTP/HTTPS7. 自定义协议 二. 传输层重点协议 1 .UDP协议 2.1.1 UDP协议端格式 2.1.2 UD

一台电脑对应一个IP地址吗?‌探讨两台电脑共用IP的可能性

在当今数字化时代,‌IP地址作为网络世界中的“门牌号”,‌扮演着至关重要的角色。‌它负责在网络上唯一标识每一台设备,‌使得数据能够在庞大的互联网中准确无误地传输。‌然而,‌对于IP地址与电脑之间的对应关系,‌许多人可能存有疑惑:‌一台电脑是否必须对应一个IP地址?‌两台电脑又是否可以共用一个IP地址呢?‌本文将深入探讨这些问题,‌带您一窥IP地址背后的奥秘。‌ 一台电脑对应一个IP地址吗?‌

context:component-scan使用说明!

<!-- 使用annotation 自动注册bean, 并保证@Required、@Autowired的属性被注入 --> <context:component-scan base-package="com.yuanls"/> 在xml配置了这个标签后,spring可以自动去扫描base-pack下面或者子包下面的java文件,如果扫描到有@Component @Controll

网络层 VII(IP多播、移动IP)【★★★★★★】

一、IP 多播 1. 多播的概念 多播是让源主机一次发送的单个分组可以抵达用一个组地址标识的若干目的主机,即一对多的通信。在互联网上进行的多播,称为 IP 多播(multicast , 以前曾译为组播)。 与单播相比,在一对多的通信中,多播可大大节约网络资源。假设视频服务器向 90 台主机传送同样的视频节目,单播与多播的比较如下图所示。 下图(a)是视频服务器用单播方式向 90 台主机传