XMap: The Internet Scanner

Abstract

XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the “5 minutes” probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes. With a 10 gigE connection and PF_RING, XMap can scan the 32-bits address space in under 5 minutes. Moreover, leveraging the novel IPv6 scanning approach, XMap can discover the IPv6 Network Periphery fast. Furthermore, XMap can scan the network space randomly with any length and at any position, such as 2001:db8::/32-64 and 192.168.0.1/16-20. Besides, XMap can probe multiple ports simultaneously.

XMap operates on GNU/Linux, Mac OS, and BSD. XMap currently has implemented probe modules for ICMP Echo scans, TCP SYN scans, UDP probes, and DNS scans (stateless, stateful, or address-spoofing).

With banner grab and TLS handshake tool, ZGrab2, more involved scans could be performed.

Installation

The latest stable release of XMap is version 1.1.2 and supports Linux, macOS, and BSD. We recommend installing XMap from HEAD rather than using a distro package manager (not supported yet).

Instructions on building XMap from source can be found in INSTALL.

Usage

A guide to using XMap can be found in our GitHub Wiki.

Simple commands and options to using XMap can be found in USAGE.

Check how to use DNS probing modules in Issue #11.

Watch the description video at Pentester Academy TV.

Paper

• [DSN ‘21] Xiang Li, Baojun Liu, Xiaofeng Zheng, Haixin Duan, Qi Li, Youjun Huang. Fast IPv6 Network Periphery Discovery and Security Implications. In Proceedings of the 2021 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN ‘21). Taipei, Taiwan, June 21-24, 2021 (Virtually). [PDF] [Slides] [Video].

  (Acceptance rate: 48/279=17.2%).

• [NDSS ‘23] Xiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li. Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation. In Proceedings of the 30th Annual Network and Distributed System Security Symposium (NDSS ‘23). San Diego, California, 27 February – 3 March, 2023. [PDF] [Slides] [Video]

  (Acceptance rate: 101/581=17.4%, Acceptance rate in summer: 36/183=19.7%), Acceptance rate in fall: 65/398=16.3%)

  • Presented in OARC 39
  • Presented in ICANN DNS Symposium 2022
  • Presented in Black Hat Asia 2023

• [USENIX Security ‘23] Xiang Li, Chaoyi Lu, Baojun Liu, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li. The Maginot Line: Attacking the Boundary of DNS Caching Protection. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security ‘23). Anaheim, California, August 9–11, 2023. [PDF] [Slides] [Video]

  (Acceptance rate: ??%, Acceptance rate in summer: 82/402=20.4%, Acceptance rate in fall: 89/569=15.6%), Acceptance rate in winter: ??%)