Skip to content
Zixuan Xie edited this page Mar 1, 2025 · 13 revisions

Welcome to the xmap wiki!

XMap: A Fast IPv6 & IPv4 Network Scanner

XMap is a fast network scanner designed for performing Internet-wide IPv6 and IPv4 network research scanning. It is a reimplementation and improvement of ZMap, offering full compatibility with ZMap while introducing novel scanning techniques and enhanced performance. XMap is capable of scanning the 32-bit IPv4 address space in under 45 minutes, and with a 10 gigE connection and PF_RING, it can achieve this in under 5 minutes. Additionally, XMap introduces a novel approach to IPv6 scanning, enabling rapid discovery of IPv6 network peripheries.

If you're new to XMap or want a follow-along guide, check out the Getting Started Guide.

By default, XMap will perform an ICMP Echo scan on the specified IPv6 or IPv4 address space at the maximum rate possible. A more conservative configuration that will scan 10,000 random addresses on port 80 at a maximum 10 Mbps can be run as follows:

$ xmap --bandwidth=10M --target-port=80 --max-target=10000 --output-file=results.csv

Or more concisely:

$ xmap -B 10M -p 80 -n 10000 -o results.csv

By default, XMap will scan the entire IPv6 address space (::/0) or the entire IPv4 address space (0.0.0.0/0). However, XMap can also scan specific subnets or CIDR blocks. For example, to scan only 2001:db8::/32 and 192.168.0.0/16 on TCP/80, you would run:

$ xmap -p 80 2001:db8::/32 192.168.0.0/16

In addition, XMap can be used to scan multiple ports or ranges of ports. For example,

$ xmap -p 80,443,445-447,500-502

If the scan started successfully, XMap will output real-time status updates: 0% (1h51m left); send: 28777 562 Kp/s (560 Kp/s avg); recv: 1192 248 p/s (231 p/s avg); hits: 0.04%

0% (1h51m left); send: 34320 554 Kp/s (559 Kp/s avg); recv: 1442 249 p/s (234 p/s avg); hits: 0.04%
0% (1h50m left); send: 39676 535 Kp/s (555 Kp/s avg); recv: 1663 220 p/s (232 p/s avg); hits: 0.04%
0% (1h50m left); send: 45372 570 Kp/s (557 Kp/s avg); recv: 1890 226 p/s (232 p/s avg); hits: 0.04%

These updates provide information about the current state of the scan and are of the following form:

%-complete (est time remaining); packets-sent curr-send-rate (avg-send-rate); recv: packets-recv recv-rate (avg-recv-rate); hits: hit-rate

⚠️ Warning! If you do not know the scan rate that your network can support, you should experiment with different scan rates or bandwidth limits to find the fastest rate that your network can support before you see decreased results.

By default, XMap will output the list of distinct IP addresses that responded successfully (e.g., with an ICMP Echo Reply or TCP SYN ACK packet) similar to the following. There are several additional formats (e.g., CSV and JSON) for outputting results. Additional output fields can be specified, and the results can be filtered using an output filter. [more information]

2001:db8::1
192.168.0.1
2001:db8::2
192.168.0.2
2001:db8::3

We strongly encourage you to use a blacklist file to exclude both reserved/unallocated IP space (e.g., multicast, RFC 1918), as well as networks that request to be excluded from your scans. By default, XMap will utilize a simple blacklist file containing reserved and unallocated addresses located at /etc/xmap/blocklist.conf. [more information]

If you find yourself specifying certain settings, such as your maximum bandwidth or blacklist file every time you run XMap, you can specify these in /etc/xmap/xmap.conf or use a custom configuration file.

If you are attempting to troubleshoot scan-related issues, there are several options to help debug. First, it is possible to perform a dry run scan to see the packets that would be sent over the network by adding the --dryrun flag. Additionally, you can change the logging verbosity by setting the --verbosity=n flag.

Probe Modules

XMap currently supports the following probe modules:

  • ICMP Echo: Default module for ICMP Echo Request scans.
  • TCP SYN: For TCP SYN scans.
  • UDP: For UDP-based scans.
  • DNS: For stateless, stateful, or address-spoofing DNS scans.

To list all available probe modules, use the --list-probe-modules flag.

Output Modules

XMap supports multiple output formats, including CSV and JSON. To list all available output modules, use the --list-output-modules flag.

Examples

Basic IPv6 Scan

$ xmap
Scan the entire IPv6 address space (`::/0`) using ICMP Echo and output to stdout.

Basic IPv4 Scan

$ xmap -4
Scan the entire IPv4 address space (`0.0.0.0/0`) using ICMP Echo and output to stdout.

Targeted Scan with Bandwidth Limit

$ xmap -N 5 -B 10M
Find 5 alive IPv6 hosts, scanning at 10 Mb/s.

Subnet Scan

$ xmap 2001::/8 2002::/16
Scan both subnets for `2001::/8-32` and `2002::/16-32` space.

Random IID Scan

$ xmap -x 64 2001::/32 -U rand
Scan `2001::/32-64` with random IID, e.g., `2001::1783:ab42:9247:cb38`.

TCP SYN Scan with Multiple Ports

$ xmap -M tcp_syn -p 80,443,8080-8081
Scan the entire IPv6 address space (`::/0`) for ports 80, 443, 8080, and 8081 using TCP SYN.

For more detailed usage and advanced options, refer to the XMap Documentation.

Clone this wiki locally