diff options
Diffstat (limited to 'rdns_scan/zmap4rdns/src/zmap.1.ronn')
| -rw-r--r-- | rdns_scan/zmap4rdns/src/zmap.1.ronn | 282 |
1 files changed, 282 insertions, 0 deletions
diff --git a/rdns_scan/zmap4rdns/src/zmap.1.ronn b/rdns_scan/zmap4rdns/src/zmap.1.ronn new file mode 100644 index 0000000..fa6651d --- /dev/null +++ b/rdns_scan/zmap4rdns/src/zmap.1.ronn @@ -0,0 +1,282 @@ +zmap(1) - The Fast Internet Scanner +=================================== + +## SYNOPSIS + +zmap [ -p <port> ] [ -o <outfile> ] [ OPTIONS... ] [ ip/hostname/range ] + +## DESCRIPTION + +*ZMap* is a network tool for scanning the entire IPv4 address space (or large +samples). ZMap is capable of scanning the entire Internet in around 45 minutes +on a gigabit network connection, reaching ~98% theoretical line speed. + +## OPTIONS + +### BASIC OPTIONS ### + + * `ip`/`hostname`/`range`: + IP addresses or DNS hostnames to scan. Accepts IP ranges in CIDR block + notation. Defaults to 0.0.0/8 + + * `-p`, `--target-port=port`: + TCP or UDP port number to scan (for SYN scans and basic UDP scans) + + * `-o`, `--output-file=name`: + When using an output module that uses a file, write results to this file. + Use - for stdout. + + * `-b`, `--blocklist-file=path`: + File of subnets to exclude, in CIDR notation, one-per line. It is + recommended you use this to exclude RFC 1918 addresses, multicast, IANA + reserved space, and other IANA special-purpose addresses. An example + blocklist file **blocklist.conf** for this purpose. + + * `-w`, `--allowlist-file=path`: + File of subnets to scan, in CIDR notation, one-per line. Specifying a + allowlist file is equivalent to specifying to ranges directly on the command + line interface, but allows specifying a large number of subnets. Note: + if you are specifying a large number of individual IP addresses (more than + 10 million), you should instead use `--list-of-ips-file`. + + * `-I`, `--list-of-ips-file=path`: + File of individual IP addresses to scan, one-per line. This feature allows you + to scan a large number of unrelated addresses. If you have a small number of IPs, + it is faster to specify these on the command + line or by using `--allowlist-file`. This should only be used when scanning more than + 10 million addresses. When used in with --allowlist-path, only hosts in the intersection + of both sets will be scanned. Hosts specified here, but included in the blocklist will + be excluded. + +### SCAN OPTIONS ### + + * `-r`, `--rate=pps`: + Set the send rate in packets/sec. Note: when combined with --probes, this is + total packets per second, not IPs per second. Setting the rate to 0 will scan + at full line rate. Default: 10000 pps. + + * `-B`, `--bandwidth=bps`: + Set the send rate in bits/second (supports suffixes G, M, and K (e.g. -B + 10M for 10 mbps). This overrides the --rate flag. + + * `-n`, `--max-targets=n`: + Cap the number of targets to probe. This can either be a number (e.g. -n + 1000) or a percentage (e.g. -n 0.1%) of the scannable address space + (after excluding blocklist) + + * `-N`, `--max-results=n`: + Exit after receiving this many results + + * `-t`, `--max-runtime=secs`: + Cap the length of time for sending packets + + * `-c`, `--cooldown-time=secs`: + How long to continue receiving after sending has completed (default=8) + + * `-e`, `--seed=n`: + Seed used to select address permutation. Use this if you want to scan + addresses in the same order for multiple ZMap runs. + + * `-P`, `--probes=n`: + Number of probes to send to each IP (default=1) + + * `--retries=n`: + Number of times to try resending a packet if the sendto call fails (default=10) + + * `--batch=n`: + Number of packets to send in a burst between checks to the ratelimit. A + batch size above 1 allows the sleep-based rate-limiter to be used with + proportionally higher rates. This can reduce CPU usage, in exchange for a + bursty send rate. (default=1) + +### SCAN SHARDING ### + + * `--shards=N`: + Split the scan up into N shards/partitions among different instances of + zmap (default=1). When sharding, **--seed** is required. + + * `--shard=n`: + Set which shard to scan (default=0). Shards are 0-indexed in the range + [0, N), where N is the total number of shards. When sharding + **--seed** is required. + +### NETWORK OPTIONS ### + + * `-s`, `--source-port=port|range`: + Source port(s) to send packets from + + * `-S`, `--source-ip=ip|range`: + Source address(es) to send packets from. Either single IP or range (e.g. + 10.0.0.1-10.0.0.9) + + * `-G`, `--gateway-mac=addr`: + Gateway MAC address to send packets to (in case auto-detection fails) + + * `--source-mac=addr`: + Source MAC address to send packets from (in case auto-detection fails) + + * `-i`, `--interface=name`: + Network interface to use + + * `-X`, `--iplayer`: + Send IP layer packets instead of ethernet packets (for non-Ethernet interface) + +### PROBE OPTIONS ### + +ZMap allows users to specify and write their own probe modules. Probe modules +are responsible for generating probe packets to send, and processing responses +from hosts. + + * `--list-probe-modules`: + List available probe modules (e.g. tcp_synscan) + + * `-M`, `--probe-module=name`: + Select probe module (default=tcp_synscan) + + * `--probe-args=args`: + Arguments to pass to probe module + + * `--probe-ttl=hops`: + Set TTL value for probe IP packets + + * `--list-output-fields`: + List the fields the selected probe module can send to the output module + +### OUTPUT OPTIONS ### + +ZMap allows users to specify and write their own output modules for use with +ZMap. Output modules are responsible for processing the fieldsets returned by +the probe module, and outputting them to the user. Users can specify output +fields, and write filters over the output fields. + + * `--list-output-modules`: + List available output modules (e.g. csv) + + * `-O`, `--output-module=name`: + Select output module (default=csv) + + * `--output-args=args`: + Arguments to pass to output module + + * `-f`, `--output-fields=fields`: + Comma-separated list of fields to output + + * `--output-filter`: + Specify an output filter over the fields defined by the probe module. See + the output filter section for more details. + + * `--no-header-row`: + Excludes any header rows (e.g., CSV header fields) from ZMap output. This is + useful if you're piping results into another application that expects only + data. + +### LOGGING AND METADATA OPTIONS ### + + * `-q`, `--quiet`: + Do not print status updates once per second + + * `-v`, `--verbosity=n`: + Level of log detail (0-5, default=3) + + * `-l`, `--log-file=filename`: + Output file for log messages. By default, stderr. + + * `-m`, `--metadata-file=filename`: + Output file for scan metadata (JSON) + + * `-L`, `--log-directory`: + Write log entries to a timestamped file in this directory + + * `-u`, `--status-updates-file`: + Write scan progress updates to CSV file" + + * `--disable-syslog`: + Disables logging messages to syslog + + * `--notes`: + Inject user-specified notes into scan metadata + + * `--user-metadata`: + Inject user-specified JSON metadata into scan metadata + +### ADDITIONAL OPTIONS ### + + * `-T`, `--sender-threads=n`: + Threads used to send packets. ZMap will attempt to detect the optimal + number of send threads based on the number of processor cores. + + * `-C`, `--config=filename`: + Read a configuration file, which can specify any other options. + + * `-d`, `--dryrun`: + Print out each packet to stdout instead of sending it (useful for + debugging) + + * `--max-sendto-failures`: + Maximum NIC sendto failures before scan is aborted + + * `--min-hitrate`: + Minimum hitrate that scan can hit before scan is aborted + + * `--cores`: + Comma-separated list of cores to pin to + + * `--ignore-blocklist-errors`: + Ignore invalid, malformed, or unresolvable entries in allowlist/blocklist file. + Replaces the pre-v3.x `--ignore-invalid-hosts` option. + + * `-h`, `--help`: + Print help and exit + + * `-V`, `--version`: + Print version and exit + +### OUTPUT FILTERS ### + +Results generated by a probe module can be filtered before being passed to the +output module. Filters are defined over the output fields of a probe module. +Filters are written in a simple filtering language, similar to SQL, and are +passed to ZMap using the `--output-filter` option. Output filters are commonly +used to filter out duplicate results, or to only pass only successful responses +to the output module. + +Filter expressions are of the form `<fieldname> <operation> <value>`. The type of +`<value>` must be either a string or unsigned integer literal, and match the type +of `<fieldname>`. The valid operations for integer comparisons are = !=, <, >, +<=, >=. The operations for string comparisons are =, !=. The +`--list-output-fields` flag will print what fields and types are available for +the selected probe module, and then exit. + +Compound filter expressions may be constructed by combining filter expressions +using parenthesis to specify order of operations, the && (logical AND) and || +(logical OR) operators. + +For example, a filter for only successful, non-duplicate responses would be +written as: `--output-filter="success = 1 && repeat = 0"` + +### UDP PROBE MODULE OPTIONS ### + +These arguments are all passed using the `--probe-args=args` option. Only one +argument may be passed at a time. + + * `file:/path/to/file`: + Path to payload file to send to each host over UDP. + + * `template:/path/to/template`: + Path to template file. For each destination host, the template file is + populated, set as the UDP payload, and sent. + + * `text:<text>`: + ASCII text to send to each destination host + + * `hex:<hex>`: + Hex-encoded binary to send to each destination host + + * `template-fields`: + Print information about the allowed template fields and exit. + +### MID-SCAN CHANGES ### + +You can change the rate at which ZMap is scanning mid-scan by sending SIGUSR1 (increase) +and SIGUSR2 (decrease) signals to ZMap. These will result in the scan rate increasing or +decreasing by 5%. |