This chapter covers Masscan and ZMap, two high-speed port scanners designed for scanning large IPv4 ranges, including the entire internet. Understanding these tools is critical for the PT0-002 exam, as they appear in the Reconnaissance and Enumeration domain (Objective 2.2) and are frequently tested in questions about scanning speed, accuracy, and evasion. Approximately 5-10% of exam questions touch on high-speed scanning tools, their configuration, and their limitations. This chapter will equip you with the technical depth to answer those questions correctly.
Jump to a section
Imagine you need to find out which doors in a massive apartment complex are unlocked. A normal scanner (like Nmap) would walk down each hallway, try each door one at a time, wait for a response, and record the result. This is thorough but slow. Masscan and ZMap are like hiring 10,000 people to simultaneously knock on doors across the entire complex. Each person has a list of specific doors to knock on, and they don't wait for a response before moving to the next door. They just knock, record any response they hear, and move on. To avoid overwhelming the building security (network), they coordinate their knocking so that no more than, say, 100 knocks per second come from any single hallway. This is done by assigning each person a unique 'knock schedule' that distributes the knocks evenly in time. If someone does hear a response, they note it, but if the response comes after they've already moved on, they might miss it. That's why Masscan and ZMap might miss some open ports compared to Nmap. They trade accuracy for speed. The 'randomized' knocking order also helps avoid detection by intrusion detection systems that might flag a sequential scan. In essence, Masscan and ZMap are designed for the specific task of scanning the entire IPv4 address space quickly, using massive parallelism and minimal state tracking.
What are Masscan and ZMap?
Masscan and ZMap are open-source tools designed specifically for high-speed port scanning of large IP ranges, including the entire IPv4 internet. While traditional scanners like Nmap can scan thousands of ports per second, Masscan claims speeds of up to 25 million packets per second (pps), and ZMap can scan the entire IPv4 address space on a single port in under 45 minutes under ideal conditions. Both tools achieve this by sacrificing per-packet reliability and state tracking in favor of raw throughput.
Why They Exist
The primary motivation for developing Masscan and ZMap was the need to perform internet-wide surveys for research and security assessments. For example, identifying all publicly accessible SSH servers, web servers, or vulnerable devices. Traditional scanners are too slow for such tasks. The PT0-002 exam tests your understanding of when to use these tools versus Nmap, their configuration options, and their limitations.
How They Work Internally
Both tools use a technique called asynchronous scanning. Instead of sending a packet and waiting for a response (synchronous), they send packets as fast as the network allows and collect responses asynchronously. This reduces the overhead of maintaining per-connection state.
Masscan operates at the raw packet level, using the libpcap library to send and receive packets. It implements its own TCP stack to handle connectionless scanning. Masscan supports TCP SYN scanning, UDP scanning, ICMP echo scanning, and even banner grabbing. It uses a randomized scanning order to avoid triggering intrusion detection systems (IDS) and to distribute load evenly.
ZMap is designed for one-port scans (e.g., scanning all IPv4 addresses on port 443). It sends SYN packets to the target IPs and listens for SYN-ACK responses. ZMap uses a probe module to generate packets and a recv module to capture responses. It does not maintain state; instead, it uses a cyclic group to generate random IP addresses from the target range, ensuring that each IP is scanned exactly once without storing the list.
Key Components, Values, Defaults, and Timers
Masscan key options:
- --rate: Packets per second. Default is 1000 pps. Can be set to millions, but limited by network and system capabilities.
- --ports: Port range to scan.
- --range: IP range in CIDR notation (e.g., 10.0.0.0/8) or a file.
- --output-format: Can be binary, grepable, xml, json, or list.
- --banners: Enable banner grabbing (requires TCP connection completion).
- --adapter-ip: Specify source IP for sending packets.
- --adapter-port: Specify source port range.
- --send-rate: Override send rate.
- --retries: Number of retransmissions for unanswered probes. Default is 10 for TCP SYN.
- --timeout: Timeout for responses. Default is 10 seconds.
ZMap key options:
- --rate: Packets per second. Default is 10,000 pps.
- --target-port: Single port to scan.
- --output-file: Output file format (e.g., -o results.csv).
- --bandwidth: Specify bandwidth in bits per second (e.g., --bandwidth=10M).
- --probe-module: Choose probe type (e.g., tcp_syn, icmp_echo, upnp).
- --seed: Seed for randomization to ensure reproducibility.
- --shards: For distributed scanning, split the scan into shards.
- --sender-threads: Number of send threads. Default is 1.
- --cpus: Number of CPU cores to use.
Default behavior: - Both tools send packets as fast as allowed by the rate limit, without waiting for responses. - They use raw sockets, requiring root or administrator privileges. - Masscan automatically detects the network interface and source IP if not specified.
Configuration and Verification Commands
Masscan examples:
Scan the entire internet for port 80:
masscan 0.0.0.0/0 -p80 --rate=1000000Scan a /16 subnet for ports 22, 443, and 8080 with banner grabbing:
masscan 10.0.0.0/16 -p22,443,8080 --banners --rate=10000Output to JSON:
masscan 192.168.1.0/24 -p1-65535 --output-format json -o scan.jsonZMap examples:
Scan all IPv4 addresses on port 443:
zmap --target-port=443 --rate=100000 --output-file=web_servers.csvScan a subnet with ICMP echo:
zmap --probe-module=icmp_echo --rate=5000 --target-network=10.0.0.0/8 -o icmp_results.csvVerification:
- Use tcpdump to monitor packets: tcpdump -i eth0 port 80
- Check system resource usage with top or htop.
- For Masscan, use --status to see progress.
How They Interact with Related Technologies
Nmap: Masscan and ZMap are often complementary to Nmap. After a fast scan identifies open ports, Nmap can be used for deeper service version detection and OS fingerprinting.
Firewalls/IDS: High-speed scans can trigger alerts. Masscan's randomized order helps evade simple IDS, but advanced systems may still detect the high packet rate.
Cloud providers: Some cloud providers (e.g., AWS) prohibit internet-wide scanning without permission. Use responsibly.
Network performance: Scanning at high rates can saturate network links, affecting production traffic. Always coordinate with network teams.
Limitations and Caveats
Accuracy: Because Masscan and ZMap do not wait for responses, they may miss open ports if responses are delayed or lost. False negatives are more common than false positives.
State tracking: Masscan maintains some state using a bitmap, but it can be overwhelmed at very high rates, leading to missed responses.
Single port focus: ZMap is optimized for scanning one port at a time. For multiple ports, you need to run multiple scans.
Privileges: Both require root due to raw socket access.
Legal issues: Scanning without permission is illegal in many jurisdictions. Always have written authorization.
Exam Relevance
On the PT0-002 exam, you should know:
Masscan and ZMap are used for fast scanning of large IP ranges.
They use asynchronous, stateless scanning.
Masscan supports multiple ports and banner grabbing; ZMap is typically for single-port scans.
Default rates: Masscan 1000 pps, ZMap 10,000 pps.
They are not substitutes for Nmap's detailed service detection.
Common exam scenario: You need to quickly identify all hosts with open port 22 in a /8 network. Use ZMap.
Trap Patterns
Wrong answer: "Masscan and ZMap are replacements for Nmap." Reality: They complement Nmap; Nmap is used for deep scans after fast identification.
Wrong answer: "Masscan always scans the entire internet." Reality: It can scan any range, specified by CIDR or file.
Wrong answer: "ZMap can scan all 65535 ports in one run." Reality: ZMap is designed for one port at a time; use Masscan for multi-port scans.
Define Scan Target and Rate
First, determine the IP range and ports to scan. For large ranges like 0.0.0.0/0 (entire IPv4), prepare a rate that does not saturate your network link. For example, a 1 Gbps link can handle roughly 1.5 million pps for 64-byte packets. Use `--rate` in Masscan or `--rate`/`--bandwidth` in ZMap. Start with a conservative rate like 100,000 pps and increase gradually. On the exam, you might be asked to calculate the time to scan a /8 network at a given rate. For example, a /8 has 16,777,216 addresses. At 100,000 pps, scanning one port takes about 168 seconds (16.7M / 100k).
Configure Probe and Output
For Masscan, specify ports with `-p` and enable banner grabbing with `--banners` if needed. For ZMap, set `--target-port` and choose a probe module (`tcp_syn` is default). Output format: Masscan supports `-oJ` for JSON, `-oX` for XML; ZMap uses `-o` with file extension. Use `--output-filter` in ZMap to filter results (e.g., only successful scans). On the exam, know that ZMap's default output is a CSV with IP, port, and timestamp. Masscan's default is a list format.
Execute Scan with Proper Privileges
Both tools require root or sudo. Run: `sudo masscan ...` or `sudo zmap ...`. Ensure the network interface is correct; Masscan auto-detects, but you can override with `--adapter-ip`. ZMap uses `--interface`. On systems with multiple NICs, specify the correct one to avoid sending packets out the wrong interface. The exam may test that these tools need raw socket access (root).
Monitor Progress and Adjust Rate
During the scan, monitor packet loss and system load. For Masscan, use `--status` to print progress. For ZMap, it prints a progress line to stderr. If packet loss is high (e.g., >1%), reduce the rate. Use `tcpdump` to verify packets are being sent. On the exam, you might be asked why a scan is slow: answer could be rate limiting, network congestion, or firewall dropping packets.
Analyze Results and Validate
After the scan completes, analyze the output. Masscan results include IP, port, and timestamp; ZMap includes IP and timestamp. Use tools like `awk`, `sort`, or import into a database. Validate a sample of open ports with Nmap to confirm. On the exam, remember that Masscan and ZMap can produce false negatives; always verify critical findings with a more reliable scanner like Nmap.
Enterprise Scenario 1: Internet-Wide Vulnerability Assessment
A security research firm is contracted to find all publicly accessible SSH servers (port 22) in a large ISP's /8 network. Using Nmap would take weeks. Instead, they deploy ZMap on a dedicated server with a 10 Gbps link. They configure ZMap with --target-port=22 --rate=1000000 --output-file=ssh_servers.csv. The scan completes in about 17 seconds. They then feed the list of responsive IPs into Nmap for version detection and vulnerability scanning. The key consideration is network capacity: at 1 million pps, the link is nearly saturated, so they coordinate with the ISP to ensure no SLA violations. A common misconfiguration is forgetting to set --rate, causing the default 10,000 pps which is too slow for such a large range. Another issue is that ZMap may miss hosts behind stateful firewalls that rate-limit SYN-ACK responses; the firm compensates by running the scan multiple times with different seeds.
Enterprise Scenario 2: Internal Network Reconnaissance
A penetration tester is assessing a large enterprise with multiple /16 subnets. They need to quickly identify live hosts and open ports across the entire internal range. They use Masscan with --range 10.0.0.0/8 -p80,443,22,3389 --rate=50000 --output-format json -o internal_scan.json. The scan runs in a few minutes. The output is imported into a SIEM for correlation. A common mistake is scanning at too high a rate, causing network switches to drop packets or triggering IDS alerts. The tester sets the rate to 50,000 pps to avoid disruption. They also use --adapter-ip to send from a specific source IP that is whitelisted by the firewall. Another pitfall is that Masscan's banner grabbing (--banners) requires completing the TCP handshake, which slows down the scan significantly; they only enable it on a subset of targets.
Scenario 3: Cloud Security Audit
A cloud security team needs to verify that no unintended services are exposed on the internet from their AWS VPC. They have a list of Elastic IPs (e.g., 100 IPs). They use Masscan to scan all 65535 ports on those IPs: masscan --range 1.2.3.0/24 -p1-65535 --rate=10000. However, AWS throttles traffic above a certain rate; they must stay within AWS limits (e.g., 10 Gbps per instance). They also ensure they have permission from the customer. A common error is scanning the entire internet instead of just the allocated IPs, which could get the team banned from AWS. They use a specific IP range file. Additionally, they use --exclude to avoid scanning IPs owned by other customers.
Exactly What PT0-002 Tests on This Topic
This topic falls under Objective 2.2: "Given a scenario, conduct scanning and enumeration activities." The exam expects you to:
Choose the appropriate tool for fast scanning of large IP ranges.
Understand the differences between Masscan and ZMap.
Know the default rates: Masscan default 1000 pps, ZMap default 10,000 pps.
Recognize that both tools are stateless and asynchronous.
Identify scenarios where false negatives are likely (e.g., high packet loss, firewalls).
Understand that Masscan supports multiple ports and banner grabbing, while ZMap is single-port.
Common Wrong Answers and Why Candidates Choose Them
"Masscan is slower than Nmap for small ranges." – This is false because Masscan's overhead for setting up raw sockets makes it slower for small scans (<1000 IPs). Candidates think "fast tool = always fast," but Nmap is more efficient for small scans.
"ZMap can scan all 65535 ports in one pass." – ZMap is designed for one port at a time. Candidates confuse it with Masscan which supports multiple ports.
"Both tools maintain per-connection state." – They are stateless. Candidates assume they work like Nmap.
"Masscan uses TCP connect scan by default." – Masscan uses SYN scan by default. Candidates think of Nmap's default.
"ZMap requires a seed for randomization." – Seed is optional; if not provided, it uses a random seed. Candidates think it's mandatory.
Specific Numbers, Values, and Terms on the Exam
Masscan default rate: 1000 packets per second.
ZMap default rate: 10,000 packets per second.
ZMap can scan the entire IPv4 address space on one port in under 45 minutes at 10,000 pps.
Masscan claims up to 25 million pps on 10 Gbps hardware.
Both require root privileges.
Masscan output formats: binary, grepable, xml, json, list.
ZMap probe modules: tcp_syn, icmp_echo, upnp, etc.
Edge Cases and Exceptions
Stateful firewalls: They may drop SYN-ACK responses if they didn't see the SYN. This leads to false negatives. The exam may ask why a host is not detected.
Rate limiting on source: If the source machine cannot handle the send rate, packets are dropped. This reduces scan speed.
Network congestion: High scan rates can cause packet loss for other traffic. The exam may ask about ethical considerations.
Masscan's `--banners` option: It completes the TCP handshake, making it slower and stateful. The exam might contrast this with stateless SYN scan.
How to Eliminate Wrong Answers
If the question involves scanning the entire internet or a /8 network, eliminate Nmap and choose Masscan or ZMap.
If scanning multiple ports, eliminate ZMap (single-port) and choose Masscan.
If the question mentions banner grabbing, Masscan supports it; ZMap does not by default.
If the question mentions speed in millions of pps, Masscan is the answer.
If the question mentions a default rate of 10,000 pps, it's ZMap.
If the question mentions stateless scanning, both tools apply, but ZMap is more stateless than Masscan (which uses a bitmap).
Masscan and ZMap are asynchronous, stateless scanners for large IP ranges.
Masscan default rate: 1000 pps; ZMap default rate: 10,000 pps.
Masscan supports multiple ports and banner grabbing; ZMap is single-port.
Both require root privileges for raw socket access.
False negatives are more common than false positives due to stateless nature.
Use Nmap for detailed service detection after fast scanning.
Always have written authorization before scanning.
High scan rates can saturate network links; coordinate with network teams.
These come up on the exam all the time. Here's how to tell them apart.
Masscan
Supports scanning multiple ports in one command
Supports banner grabbing (TCP connect)
Default rate: 1000 pps
Uses a bitmap to track responses (some state)
Can output in JSON, XML, binary, etc.
ZMap
Optimized for single-port scans
No built-in banner grabbing
Default rate: 10,000 pps
Completely stateless; no response tracking
Outputs CSV by default
Mistake
Masscan and ZMap are interchangeable with Nmap.
Correct
They are designed for high-speed scanning of large IP ranges and lack Nmap's detailed service detection, OS fingerprinting, and scripting engine. Nmap is used for in-depth analysis after fast scans.
Mistake
Masscan always scans the entire internet by default.
Correct
Masscan requires an explicit target range. If no range is given, it defaults to scanning the local subnet, not the entire internet.
Mistake
ZMap can scan all 65535 ports in a single run.
Correct
ZMap is designed for one port at a time. To scan multiple ports, you must run multiple instances or use Masscan.
Mistake
Higher scan rates always yield faster results.
Correct
If the network or source machine cannot handle the rate, packets are dropped, leading to incomplete results and false negatives. Optimal rate depends on available bandwidth and system capabilities.
Mistake
Masscan and ZMap are immune to detection by IDS/IPS.
Correct
While randomized scanning helps evade simple signature-based detection, the high packet volume itself can trigger anomaly-based detection systems.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Masscan supports scanning multiple ports in one command, offers banner grabbing, and uses a bitmap for some state tracking. ZMap is designed for single-port scans, is completely stateless, and has a higher default rate (10,000 pps vs Masscan's 1000 pps). Masscan is more flexible for port ranges, while ZMap is simpler and faster for one-port internet-wide scans.
At its maximum claimed rate of 25 million pps on a 10 Gbps link, Masscan can scan the entire IPv4 address space on one port in about 1.7 seconds (4.3 billion addresses / 25 million pps). However, real-world speeds are limited by network capacity and system performance. At a more common rate of 1 million pps, it takes about 72 minutes.
They can send packets through firewalls if the firewall allows outbound traffic, but responses may be blocked. Stateful firewalls that track TCP handshakes may drop SYN-ACK packets if they did not see the original SYN, causing false negatives. Using a stateless scan (SYN) can help, but results are not guaranteed.
ZMap does not have a default target port; you must specify it with `--target-port`. If omitted, ZMap will error out. Common ports scanned include 80, 443, 22, and 8080.
On Debian/Ubuntu: `sudo apt install masscan zmap`. On Red Hat/CentOS: `sudo yum install masscan zmap` (may require EPEL). Alternatively, compile from source from GitHub: https://github.com/robertdavidgraham/masscan and https://github.com/zmap/zmap.
Possible reasons: (1) Wrong target range or port, (2) Firewall blocking responses, (3) Rate too high causing packet loss, (4) No root privileges, (5) Network interface not specified correctly. Use `tcpdump` to verify packets are being sent and responses are received.
Yes, Masscan supports UDP scanning with the `-sU` flag (similar to Nmap). However, UDP scanning is less reliable because there is no handshake; responses depend on the service. ZMap also has an ICMP echo probe module but does not natively support UDP port scanning.
You've just covered Masscan and ZMap for Fast Port Scanning — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?