Closed MrRobotsAA closed 5 months ago
noeltimothy
commented
7 months ago Hi @MrRobotsAA , can you attach any corefile you have along with this? It would also help to get the syslog that has zmap entries. You can use this:
cat /var/log/syslog | grep zmap
sharkocha
commented
7 months ago I encountered core dump, too. My OS is Ubuntu22.
This is the command and output of ja4tscan (I've changed the name of zmap binary file and the IP range is valid):
./zmap_bin -p 80 -r xxx.xxx.xxx.xxx/24 -o output.csv --output-fields=timestamp,saddr,ja4ts --probe-module=ja4ts --dedup-method none --cooldown-time=120
Mar 27 16:33:52.294 [INFO] dedup: Response deduplication method is none
Mar 27 16:33:52.294 [INFO] filter: No output filter provided. ZMap will output all results, including duplicate and non-successful responses (e.g., RST and ICMP packets). If you want a filter similar to ZMap's default behavior, you can set an output filter similar to the following: --output-filter="success=1 && repeat=0".
Mar 27 16:33:52.300 [INFO] recv: duplicate responses will be passed to the output module
Mar 27 16:33:52.300 [INFO] recv: unsuccessful responses will be passed to the output module
Segmentation fault (core dumped)
cleaning up iptable rules...Here is the results of cat /var/log/syslog | grep zmap_bin:
$ cat /var/log/syslog | grep zmap_bin
Mar 27 16:10:00 Jelly-Tab kernel: [421903.320101] zmap_bin[195755]: segfault at 76626a50cdd0 ip 0000575653025973 sp 000076651a7dbc50 error 4 in zmap_bin[57565300f000+22000] likely on CPU 1 (core 1, socket 0)
Mar 27 16:16:57 Jelly-Tab kernel: [422320.478911] zmap_bin[195916]: segfault at 76f8f3f9cdd0 ip 000062bfcd920973 sp 000076ffa645bc50 error 4 likely on CPU 2 (core 2, socket 0)
Mar 27 16:30:29 Jelly-Tab kernel: [423132.216898] zmap_bin[197029]: segfault at 78b68f104dd0 ip 00005e0d26d71973 sp 000078b113a15c50 error 4 likely on CPU 1 (core 1, socket 0)
Mar 27 16:31:11 Jelly-Tab kernel: [423174.312494] zmap_bin[197174]: segfault at 716aa6db0dd0 ip 000058d22e23c973 sp 0000716db7ffec50 error 4 in zmap_bin[58d22e226000+22000] likely on CPU 1 (core 1, socket 0)
Mar 27 16:33:27 Jelly-Tab kernel: [423309.925573] zmap_bin[197335]: segfault at 7e60ce728dd0 ip 00005e24c0077973 sp 00007e673565cc50 error 4 likely on CPU 1 (core 1, socket 0)
Mar 27 16:33:52 Jelly-Tab kernel: [423334.854678] zmap_bin[197367]: segfault at 71c418304dd0 ip 00005f2f9cc20973 sp 000071c310cbec50 error 4 in zmap_bin[5f2f9cc0a000+22000] likely on CPU 1 (core 1, socket 0)By the way, the python script cannot parse the IP range correctly, but this is not the main problem.
john-althouse
commented
6 months ago @lfishRhungry Remove and try again, the issue was with using the main branch of zmap. We're now writing JA4TScan for specific versions of zmap.
noeltimothy
commented
6 months ago @lfishRhungry, Yes we now use zmap 4.1.0. You can remove and try again by running:
sudo ./build.shThis will automatically build against zmap 4.1.0. If you continue to see the issue, please report here and I will be gald to help.
sharkocha
commented
6 months ago @lfishRhungry Remove and try again, the issue was with using the main branch of zmap. We're now writing JA4TScan for specific versions of zmap.
Problem resolved. Thanks!
sharkocha
commented
6 months ago @lfishRhungry, Yes we now use zmap 4.1.0. You can remove and try again by running:
sudo ./build.shThis will automatically build against zmap 4.1.0. If you continue to see the issue, please report here and I will be gald to help.
It worked. Thanks!
Hello, I've built the code locally (Ubuntu and macos M2), but the scans all prompt a memory crash.
1. sudo python3 ja4tscan.py -p 443 59.110.219.243 adding iptable rules... cmd zmap -p 443 -r 10 -I input -o output.csv --output-fields=timestamp,saddr,ja4ts --probe-module=ja4ts --dedup-method none --cooldown-time=120 Mar 17 18:23:15.751 [INFO] dedup: Response deduplication method is none Mar 17 18:23:15.752 [INFO] filter: No output filter provided. ZMap will output all results, including duplicate and non-successful responses (e.g., RST and ICMP packets). If you want a filter similar to ZMap's default behavior, you can set an output filter similar to the following: --output-filter="success=1 && repeat=0". Mar 17 18:23:15.764 [WARN] zmap: list of IPs is small compared to address space. Performance will suffer, consider using an allowlist instead Mar 17 18:23:15.773 [INFO] recv: duplicate responses will be passed to the output module Mar 17 18:23:15.774 [INFO] recv: unsuccessful responses will be passed to the output module 0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00% 0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00% Segmentation fault (core dumped) cleaning up iptable rules...
2. zmap -p 443 -r 10 -I ./input -o output.csv --output-fields=timestamp,saddr,ja4ts --probe-module=ja4ts --dedup-method none --cooldown-time=120 Mar 17 18:23:47.687 [INFO] dedup: Response deduplication method is none Mar 17 18:23:47.687 [INFO] filter: No output filter provided. ZMap will output all results, including duplicate and non-successful responses (e.g., RST and ICMP packets). If you want a filter similar to ZMap's default behavior, you can set an output filter similar to the following: --output-filter="success=1 && repeat=0". Mar 17 18:23:47.699 [WARN] zmap: list of IPs is small compared to address space. Performance will suffer, consider using an allowlist instead Mar 17 18:23:47.709 [INFO] recv: duplicate responses will be passed to the output module Mar 17 18:23:47.710 [INFO] recv: unsuccessful responses will be passed to the output module 0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00% 0:00 0%; send: 0 0 p/s (0 p/s avg); recv: 0 0 p/s (0 p/s avg); drops: 0 p/s (0 p/s avg); hitrate: 0.00% Segmentation fault (core dumped)