Creating Quick Mass Scanning Tool with Python and ZMap

March 1, 2018 | Views: 6732

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Creating quick mass scanning tool with Python and ZMap, adding web panel on PHP with MySQL database and hiding with Proxychains.

Our main aim is to quickly execute port scan on the wide range of services, store the results and easily access them with some kind of web interface. Due to fact that scanning activity is illegal we can try to hide our scanner behind proxies or TOR.

Important notice: Scanning without agreement with technical owner of the targeted system is illegal and I recommend not to use this tools for such activities but execute scans of your local network assets.

Technical requirements:

          Python 2.7

          PHP 5x


          Debian 7 or 8

          ZMap scanner

          Proxychains package

First of all let’s prepare our instance (in our example we going to work with Debian) from which we going to execute scans.

After installation process need to execute following commands:

$ sudo apt-get update –y

$ sudo apt-get upgrade –y

$ sudo apt-get install mysql-server php5 python2 proxychains tor

Than we need to download the python script:

This article and “Spidy” tool was provided by Uladzislau Murashka, Security Engineer.

Thanks for reading.

$ wget && unzip

On next step you will need to create mysql database and user, than provide credentials to the script “” on 19-22 lines and in web panel “db.php” file.

After credentials were provided let’s initiate our database with all required stuff:

$ chmod +x

$./ db_init

…now all required tables were created and database is ready for work.

Next let’s get ZMap from the official web page or possibly can try to do it through apt-get install.

ZMap on github:

If you will meet any problems during installation of zmap you can try to get some information here:

To start scan anything we need to get list of the targets, of course better work with internal environment but in spidy script there is possibility to grab IP addresses by country codes, as example:

$ ./ ip_list ca

After command executes you will get Canada  pool of IP addresses or for example prepare your own IP list.

Than we can start our scanning:

$ ./ scan ip_list.txt 21

1.       Scan – means begin of the scanning process

2.       Ip_list.txt – our file with list of IP addresses

3.       21 – this is the port which we are looking for

While scanning works let’s deploy our navigation web panel:

1.       If you don’t have, install apache (apt-get install apache)

2.       Move all files from /web_panel/ to the www directory

3.       Set up apache configuration file so our panel will be accessible

4.       Don’t forget to update /web_panel/db.php file with actual mysql database credentials

The most popular attack vectors for such tools can be:

          Anonymous FTP (port 21)

          Open SMTP relays (port 25)

          Heatbleed vulnerable systems (port 443 usualy)

          Databases without password protection and open to the internet (mysql 3306, mongodb 27017 etc)

In our example we going to check for FTP and SSH.

After the scan is done and database filled with our scanning results, let’s go check what actually not protected properly:

$ ./ check ftp

This command executes anonymous ftp access check for open 21 port from our scanned results stored in database. Let’s go to our web panel and see what will appear:

On main page you will be able to see the stats of the scanner:

1st columen: How many unique hosts

2nd column: How many unique ports

3rd column: successful checks (access was gained)

4th column: last update date

We also can execute search through our database to see only successful results:

Also spidy can export results by port if need so, just use:

$ ./ export 21 ftp.txt

This command will tell the script to export results about scanned systems for open FTP port (21) and put them into ftp.txt file.

Currently this script can execute checks for Anonymous FTP, simple SSH passwords and open MongoDB databases without password protection.

This scanning script is very simple and you can add any kind of check on your own without any problem, see line 156 and below in file.

If you would like to run this scanning anonymously you can use proxychains:

$ proxychains ./ scan ip_list 21 (will anonymously scan IP addresses from your list for 21 port, FTP)

Same way you can execute security checks.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. To Anil: didn’t understand your question, but if you talking about the current version of application – I translated it on English.
    If you talk about python – this is very popular language among administrators & security specialists, on python you can quickly and easily automate nearly any kind of process or wright a tool, also it is multi-threaded 🙂

  2. Thanks for sharing. Do this language is also used by security device?

  3. On screenshots appears rus language, but on github I have updated all for english.

  4. Great article! I would suggest appending this article with automation script to perform everything discussed and check for dependiciea then output with a help menu.

  5. thanks for the article. very good content

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?