XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

Related tags

Networking and Internet ipv6 scanning internet-wide-scanning
Overview

XMap: The Internet Scanner

Build Status

XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes. With a 10 gigE connection and PF_RING, XMap can scan the 32-bits address space in under 5 minutes. Moreover, leveraging the novel IPv6 scanning approach, XMap can discover the IPv6 Network Periphery fast. Furthermore, XMap can scan the network space randomly with any length and at any position, such as 2001:db8::/32-64 and 192.168.0.1/16-20. Besides, XMap can probe multiple ports simultaneously.

XMap operates on GNU/Linux, Mac OS, and BSD. XMap currently has implemented probe modules for ICMP Echo scans, TCP SYN scans, and UDP probes.

With banner grab and TLS handshake tool, ZGrab2, more involved scans could be performed.

Installation

The latest stable release of XMap is version 1.0.0 and supports Linux, macOS, and BSD. We recommend installing XMap from HEAD rather than using a distro package manager (not supported yet).

Instructions on building XMap from source can be found in INSTALL.

Usage

A guide to using XMap can be found in our GitHub Wiki.

Simple commands and options to using XMap can be found in USAGE.

Paper

Fast IPv6 Network Periphery Discovery and Security Implications.

Abstract. Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bits address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now.

To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery’s packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP’s and home routers with an amplification factor of >200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

Authors. Xiang Li, Baojun Liu, Xiaofeng Zheng, Haixin Duan, Qi Li, Youjun Huang.

Conference. Proceedings of the 2021 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN '21)

Paper. [PDF], [Slides] and [Video].

CNVD/CVE. [Lists].

License and Copyright

XMap Copyright 2021 Xiang Li from Network and Information Security Lab Tsinghua University

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See LICENSE for the specific language governing permissions and limitations under the License.

Comments
  • Non point-point IPv6 scanner

    Non point-point IPv6 scanner

    I started a xmap instance on Azure virtual machine, Azure only provide IPv6 balance, not point to point (/128) public address, middle-ware convert. It can ping IPv6 address correctly and can be accessed via IPv6 address, but xmap does not work. I tried to capture network packets when scanning. Sniffer packet sent but no response(like www.sdu.edu.cn and www.sdwu.edu.cn, the two alive hosts I do promise I can correctly ping, but xmap cannot detect up). Alternatively, another provider, Ubuntu20 installed, with p2p IPv6 and I got public IPv6 add via ifconfig->eth0, but ./xmap output:

    Jan 08 08:17:48.907 [ERROR] get_gateway-linux: interface specified (eth0) does not match the interface of the default gateway (). You will need to manually specify the MAC address of your gateway. Jan 08 08:17:48.907 [FATAL] xmap: could not detect default gateway address for eth0. Try setting default gateway mac address (-G).

    arp -a no record, curious.

    opened by demingry 3
  • multiple definition of `IID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here

    multiple definition of `IID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here

    followed all the steps within the INSTALL:md file but getting this error on make:

    [100%] Linking C executable xmap /usr/bin/ld: CMakeFiles/xmap.dir/summary.c.o:(.bss+0x0): multiple definition of IID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/xmap.c.o:(.bss+0x30): multiple definition ofIID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/iid_modules/iid_modules.c.o:(.bss+0x0): multiple definition of IID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/iid_modules/module_full.c.o:(.bss+0x0): multiple definition ofIID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/iid_modules/module_low.c.o:(.bss+0x0): multiple definition of IID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/iid_modules/module_low_fill.c.o:(.bss+0x0): multiple definition ofIID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/iid_modules/module_rand.c.o:(.bss+0x0): multiple definition of IID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/iid_modules/module_set.c.o:(.bss+0x0): multiple definition ofIID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here /usr/bin/ld: CMakeFiles/xmap.dir/iid_modules/module_zero.c.o:(.bss+0x0): multiple definition of `IID'; CMakeFiles/xmap.dir/send.c.o:(.bss+0x0): first defined here collect2: error: ld returned 1 exit status make[2]: *** [src/CMakeFiles/xmap.dir/build.make:814: src/xmap] Errore 1 make[1]: *** [CMakeFiles/Makefile2:172: src/CMakeFiles/xmap.dir/all] Errore 2 make: *** [Makefile:156: all] Errore 2

    trying on a vm with ubuntu 20.04 and installed all the deps, any ideas ? thanks

    opened by johnjohnsp1 2
  • Installation on centos 8

    Installation on centos 8

    When I run this cmd on centos 8, something is missing:

    sudo yum install -y cmake gmp-devel gengetopt libpcap-devel flex byacc json-c-devel libunistring-devel

    error:

    No match for argument: libpcap-devel No match for argument: libunistring-devel Error: Unable to find a match: libpcap-devel libunistring-devel

    solution: sudo yum -y install cmake gmp-devel gengetopt flex byacc json-c-devel sudo dnf --enablerepo=powertools -y install libpcap-devel libunistring-devel

    When I build files, something is error:

    cmake . cmake: symbol lookup error: cmake: undefined symbol: archive_write_add_filter_zstd

    try this: sudo yum install -y libarchive cmake .

    opened by idealeer 0
  • DNS Probing Module

    DNS Probing Module

    Help

    Type xmap -4 -h -M dnsx -O json to show the help information.

    This module sends out DNS queries and parses basic responses. By default, the module performs an A record lookup for www.qq.com. You can specify other queries using the --probe-args argument in the form: label_type:input_src:type,query;type,query, e.g., raw:text:A,qq.com;NS,qq.com. The module supports sending the the following types of queries: A, NS, CNAME, SOA, PTR, MX, TXT, AAAA, RRSIG, ANY, SIG, SRV, DS, DNSKEY, TLSA, SVCB, HTTPS, CAA, and HTTPSSVC. The module will accept and attempt to parse all DNS responses. There is currently support for parsing out full data from A, NS, CNAME, MX, TXT, and AAAA. Query format: label_type:recurse:input_src:type,query;type,query Any other types will be output in raw form.  label_type: raw, str, time, random, dst-ip   raw: do nothing to the query domain, e.g., qq.com   str: add the 'str' subdomain www, e.g., www.qq.com   time: add the s+μs subdomain, e.g., 1620027515-568043.qq.com   random: add random subdomain lefzwnrq, e.g., lefzwnrq.qq.com   dst-ip: add probe num + src ip, e.g., 1.1-2-3-4.qq.comrecurse: recurse, no-recurse   recurse: recursive query   no-recurse: non-recursive query  input_src: text, file   text: like A,qq.com;AAAA,qq.com   file: each line is like a text  type: A, NS, CNAME, SOA, PTR, MX, TXT, AAAA, RRSIG, ANY, SIG,   SRV, DS, DNSKEY, TLSA, SVCB, HTTPS, CAA, and HTTPSSVCquery: A,qq.com;AAAA,qq.com Examples:  --probe-args="raw/time/random:recurse/no-recurse:text:type,query"  --probe-args="raw/time/random:recurse/no-recurse:file:file_name"  --probe-args="str:SomeText:recurse/no-recurse:text:type,query"  --probe-args="str:SomeText:recurse/no-recurse:file:file_name"  --probe-args="dst-ip:recurse/no-recurse:text:type,query"  --probe-args="dst-ip:recurse/no-recurse:file:file_name"

    Usage Examples

    1. Query qq.com A targeting 8.8.8.8:

    xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 1 --probe-args="raw:recurse:text:A,qq.com" -R 1000 -o result.txt 8.8.8.8

    1. Query qq.com A and baidu.com NS targeting 8.8.8.8:

    xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 2 --probe-args="raw:recurse:text:A,qq.com;NS,baidu.com" -R 1000 -o result.txt 8.8.8.8

    1. Query each domain from a domain.txt targeting all IPs from a ip.txt:

    xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P domain_number --probe-args="raw:recurse:file:domain.txt" -R 1000 -o result.txt -I ip.txt

    Note: Each line in domain.txt is in the form like A,qq.com and -P domain_number = the number of domains.

    opened by idealeer 0
  • Show probe modules

    Show probe modules

    Show probe modules:

    $ ./src/xmap --list-probe-modules Probe-modules (IPv6): udp tcp_syn icmp_echo icmp_echo_gw icmp_echo_tmxd Probe-modules (IPv4): udp tcp_syn icmp_echo

    List help information of any module:

    $ ./src/xmap -6 -h -M icmp_echo_gw Probe-module (IPv6 icmp_echo_gw) Help: Probe module that sends ICMPv6 echo requests to hosts for discovering gateway. And the following argus should be set: --iid-module=low_fill Payload of ICMPv6 packets will consist of 8 bytes zero unless you customize it with: --probe-args=file:/path_to_payload_file --probe-args=text:SomeText --probe-args=hex:5061796c6f6164 --probe-args=icmp-type-code-str

    $ ./src/xmap -6 -h -M icmp_echo_tmxd Probe-module (IPv6 icmp_echo_tmxd) Help: Probe module that sends ICMPv6 echo requests to hosts for discovering routers with routing loop. And the following argus should be set: --iid-module=rand --iid-num=2 --probe-ttl=64 (max) --probes=2 (2 packets with ttl=64,63) (`repeat' key: <IPv6, ICMPv6-type>) Payload of ICMPv6 packets will consist of 8 bytes zero unless you customize it with: --probe-args=file:/path_to_payload_file --probe-args=text:SomeText --probe-args=hex:5061796c6f6164 --probe-args=icmp-type-code-str

    opened by idealeer 1
  • Segmentation fault

    Segmentation fault

    Describe the bug

    Once I run a simple command, there is a Segmentation fault error.

    To Reproduce

    Run the following command:

    xmap -4 8.8.8.8

    Error shows: Segmentation fault.

    opened by idealeer 3
Releases(1.1.2)
Owner
idealeer
Security
idealeer
GitHub
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

MASSCAN-NG: Mass IP port scanner This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million p

BI.ZONE 62 Jan 3, 2023
Thc-ipv6 - IPv6 attack toolkit

THC-IPV6-ATTACK-TOOLKIT (c) 2005-2022 [email protected] https://github.com/vanhauser-thc/thc-ipv6 Licensed under AGPLv3 (see LICENSE file) INTRODUCTION Th

van Hauser 870 Jan 8, 2023
Small and fast cross-platform networking library, with support for messaging, IPv6, HTTP, SSL and WebSocket.

frnetlib Frnetlib, is a cross-platform, small and fast networking library written in C++. There are no library dependencies (unless you want to use SS

Fred Nicolson 23 Nov 25, 2022
Implement Ipv4 ServiceId Table() based on INET framework on OMNeT++.

omnet++/inet_Service-Id-Table Implement Ipv4 ServiceId Table(<ipaddr,sid>) based on INET framework on OMNeT++. Version: OMNeT++ 5.6.2(https://github.c

null 1 May 28, 2022
a lightweight and performant multicast DNS (mDNS) reflector with modern design, supports zone based reflection and IPv6

mDNS Reflector mDNS Reflector (mdns-reflector) is a lightweight and performant multicast DNS (mDNS) reflector with a modern design. It reflects mDNS q

Yuxiang Zhu 90 Dec 10, 2022
WiFi scanner with visual persistence, intended to find the idlest channel e.g. to assign to a ZigBee device

WiFiChanViz Motivation This tool was initially coded to help find the idlest 2.4GHz channel in order to connect a ZigBee device to HomeAssistant in id

tobozo 15 Oct 27, 2022
Rudimentary opinionated client-side lua libwayland bindings and scanner

wau This should work with Lua 5.3+. By default it builds with 5.3 instead of 5.4 because the examples depend on lgi. These aren't 1-to-1 bindings to l

null 4 Nov 19, 2022
PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use. It provides C++ wrappers for the most popular packet processing engines such as libpcap, WinPcap, DPDK and PF_RING.

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy

null 2.1k Jan 6, 2023
An HTTPS beaconing Windows implant and multi-layered proxy C2 network designed for covert APT emulation focused offensive operations

WARFOX is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications. This kit was designed to emulate covert APT offensive operations. This kit includes WARFOX (Windows implant), HIGHTOWER (Listening Post), and other tools to build configs and set up a proxy network.

null 85 Nov 25, 2022
A software C library designed to extract data attributes from network packets, server logs, and from structured events in general, in order to make them available for analysis

MMT-DPI A software C library desinged to extract data attributes from network packets, server logs, and from structured events in general, in odrder t

Montimage 3 Nov 9, 2022
Husarnet is a Peer-to-Peer VPN to connect your laptops, servers and microcontrollers over the Internet with zero configuration.

Husarnet Client Husarnet is a Peer-to-Peer VPN to connect your laptops, servers and microcontrollers over the Internet with zero configuration. Key fe

Husarnet 180 Jan 1, 2023
A local DNS server to obtain the fastest website IP for the best Internet experience

A local DNS server to obtain the fastest website IP for the best Internet experience

Nick Peng 5.7k Jan 4, 2023
Graphical small-internet client for windows, linux, MacOS X and BSDs. Supports gemini, http, https, gopher, finger.

Graphical small-internet client for windows, linux, MacOS X and BSDs. Supports gemini, http, https, gopher, finger.

Felix Queißner 569 Dec 30, 2022
JerryScript: JavaScript engine for the Internet of Things

JerryScript: JavaScript engine for the Internet of Things JerryScript is a lightweight JavaScript engine for resource-constrained devices such as micr

Arm Mbed 5 Aug 29, 2022
Local OXID Resolver (LCLOR) : Research and Tooling

hazmat5 Local OXID Resolver (LCLOR) : Research and Tooling Welcome to a repository on my research into DCOM's Local OXID Resolution mechanisms, and RP

Alex Ionescu 28 Oct 26, 2022
A modern C++ network library for developing high performance network services in TCP/UDP/HTTP protocols.

evpp Introduction 中文说明 evpp is a modern C++ network library for developing high performance network services using TCP/UDP/HTTP protocols. evpp provid

Qihoo 360 3.2k Jan 5, 2023
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Oct 17, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Oct 17, 2022
A hacked client designed for Minecraft Bedrock (Minecraft for Windows 10).

Infinite Client A hacked client designed for Minecraft Bedrock (Minecraft for Windows 10). Note This hacked client is a kernel mode cheat. This can ca

Uncodable 3 Feb 17, 2022