Henry Dalziel | General Hacking Posts, Hacker Hotshots, Latest InfoSec News, Product Reviews | August 20, 2013
We like our scanning tools and programs here at Concise Courses, in fact
we even run did run an Nmap class, and one of our most interesting Hacker Hotshot talks this year was called: “PunkSPIDER: An Open Source, Scalable Distributed Fuzzing Project Targeting the Entire Internet” with Alejandro Caceres.
ZMap (with the capitalized ‘M’) is an open-source network scanner that allows researchers to easily scan the Internet: the entire Internet! Using a single (powerful) machine and a fast connection, ZMap is able of executing a complete scan of the IPv4 address space under an hour. ‘Amazing’ is the first thing to say about that! The EFF, back in 2010, which is not that long ago (but as always a longer time in Internet Years) experimented by scanning IPv4 addresses, and it took them several months! ZMap when compared to Nmap (which EFF used) is kind of an example of Moore’s law on steroids (the original Moore theory is that the number of transistors on integrated circuits will double approximately every two years).
Would however made ZMap please stand up?
Hats-off to the three researchers that are responsible for having created ZMap; they are: Zakir Durumeric, Eric Wustrow (two PhD candidates) and J. Alex Halderman, an Assistant Professor. All three are with the University of Michigan. J Alex Halderman is taking the lead. His research focuses on computer security and privacy, that in his own words [have] “an emphasis on problems that broadly impact society and public policy.” Sounds good to us and we’d like to congratulate them all on an excellent and successful project. Interestingly enough, we had Dr Thomas Holt, also from the University of Michigan on Hacker Hotshots last year presenting: “Identifying Cyber Warriors.”
A summary of ZMap
If you like scanning networks (with permission of course) or whether you are currently employed in information security as a pentester for example (or even thinking of starting a career in penetration testing) then you really should take a closer look at ZMap. One of the differences between Nmap and ZMap is that ZMap is “stateless” which is a scanning term for “sending out a request and then forgetting about it” – rather like sending out a wedding invitations but you don’t care if your guests reply or not.
Our understanding of what makes ZMap so darn quick (or at least one of the reasons why it is so fast) is because rather than storing a list of outstanding requests, ZMap encodes identifying information in outgoing packets so that it will be able to identify responses. The result of this is a significant reduction in overhead which makes the program operate at a rate of a thousand times faster than its’ legendary Nmap cousin.
The World Record of Scanning The entire Internet – 44 Minutes!
With a gigbyte Internet Connection, and we imagine a kick-ass server running a lot of RAM, the team was able to scan every IPv4 address on the Internet. What did they discover on their travels? First off, that the web is, hardly surprising, becoming (read: trying) to become more secure by implementing HTTPS. This discovery was made aware to the team from having scanned the Internet prior to their record-setting 44 minutes and comparing the growth in HTTPS adoption. Using ZMap, the University of Michigan researchers found that from August 2012 to August 2013, HTTPS implementation has increased by approximately 23 percent.
A really interesting spin-off of their research was how the Internet is part of Mother Nature. When Hurricane Sandy tore through the East Cost, she forced servers to go offline (due to factors such as denial of power etc.). The researchers conducted Internet-wide scans every two hours during the natural disaster and they observed the Geo-IP areas that had indeed suffered (or were suffering) the most.
Security implications of ZMap
As part of their research the team scanned the Internet for a well-known vulnerability (that was discovered early 2013 and widely reported) that affected Universal Plug and Play (UPnP) networking protocols. The intention of this particular experiment was to detect how many hosts had failed to patch the problem. Bottom line, they found 2.56 million (16.7 percent) had not yet upgraded! This just shows the power of this program.
As usual, (think SHODAN) the ability to almost instantly discover computers and networks that have unpatched security vulnerabilities can be a good thing for white hat folk, but it can be used for nefarious gain for the black hatters out there. Dare we say it but with the right exploitation tools a cyber criminal gang or an unsavory individual could launch a million-bot army pretty much instantly.
We are still learning about ZMap and will keep a keen ear listening to developments. What are your thoughts? Do you think this program will better our job as penetration testers and security professionals? Have you used it? Let us know! And finally, a huge congratulations to the team over at the University of Michigan.