Mastering Internet Scanning: How to Use ZMap and Censys for Ethical Hacking — Part 1

If you’ve ever wanted to scan the entire internet but stopped short because ‘ending up on a watchlist’ wasn’t part of the plan, this guide is for you. In the world of cybersecurity researchers and ethical hackers, tools like ZMap and Censys are your bread and butter. These two powerhouses offer different flavors of network scanning:

• ZMap: Think of it as the Ferrari of network scanners insanely fast, loud, and bound to turn heads (sometimes from people you don’t want attention from). It’s the perfect choice for active scanning and global IPv4 scan.

• Censys: On the quieter side, Censys is like the internet’s nosy neighbor it’s already looked through everyone’s windows so you don’t have to, making it great for passive scanning.

Whether you prefer the thrill of active scanning or just want to browse pre-scanned data without stirring the pot, this guide will show you how to use both tools effectively.

I. ZMap — The “Fast and Furious” of Network Scanning

To get started with ZMap, follow the steps below to install it on your Ubuntu system.

For MacOS run the command :

1. Running ZMap for Global Internet Scan:

Use the following command to scan the entire IPv4 address space (be mindful of network policies and legal considerations when doing this):

2. Running ZMap for a Specific CIDR Range:

If you want to limit the scan to a particular subnet or range, use:

Of course, why stop there? Security pros and creative hackers often spice things up by chaining ZMap with other tools like httprobe, fff, and hakcheckurl — because one tool isn’t enough when you’re on a mission to find the last unsecured toaster on the internet.

And for those feeling particularly ambitious, they can throw nuclei into the mix to automate scanning the entire planet.

Example: Poking Around Apple’s CIDR Range:

Let’s take Apple’s CIDR block 17.248.231.0/24 — not because we’re nosy, but because it’s fun to see what’s exposed. This range is associated with Apple and can be cross-checked via:
https://whois.ipip.net/AS714

A bug bounty hunter fueled by caffeine might collect all IPs from this range, pipe them through httprobe to identify live hosts, and use fff to scrape every response:

In this example, port 80 is used — since it’s the default HTTP port — to keep things simple. However, attackers can scan other ports too, depending on what services or vulnerabilities they are aiming to uncover.

If the goal is to see only live IPs along with their status codes, this can be done seamlessly with the following command:

This approach ensures that only active endpoints with status codes are captured — because if a server is live, it better respond properly.

Conclusion:
This concludes the first part of our guide on mastering internet scanning. We’ve explored how ZMap can be your go-to tool for rapid, efficient network scanning, whether you’re scouring the global IPv4 address space or focusing on specific subnets. By chaining ZMap with other tools like httprobe, fff, and hakcheckurl, you can streamline the process of identifying live hosts and uncovering potentially vulnerable endpoints.

In the next part of this guide, we will dive into Censys, the quieter counterpart to ZMap, and explore how to leverage its powerful data for passive scanning. Stay tuned to learn how to effectively combine these tools and take your network reconnaissance to the next level without attracting unnecessary attention.