Talking about ZoomEye on KCon 2019

3 min readAug 28, 2019

by Heige(a.k.a Superhei) of KnownSec 404 Team 08/28/2019

In the past few days (August 23–25, Beijing time), the KCon 2019 hacking conference hosted by the KnownSec 404 team was held in Beijing (PS: The history KCon speech ppt can refer to: The ppt on KCon 2019 will be online soon). I have been attending this conference and related work these days. On KCon 2019, I will focus on some of the recent work and plans on the ZoomEye cyberspace search engine, as well as some of my views on cyberspace mapping.

I think there are two key factors in cyberspace mapping or search engines: “More Data and Data Life”.”More data” means that we need more different kinds of cyberspace mapping basic data,”Data Life” means giving data to the soul, interpreting the meaning behind the data through data analysis and other means.

Topic 1 : “Network scanning resources and technology have become the core competitiveness of cyberspace mapping!”

* Xmap 2.0 has come

Xmap is the ZoomEye core IP scanning engine,We have now released the Xmap 2.0 release, which has an average of 6.4 times more data acquisition per month than before. Another feature is that you can deploy and install with one click.

* Launched ZoomEye “500 Nodes Plan”

Based on Xmap2.0’s one-click installation and deployment features, we can quickly deploy our scanning nodes.At present, we have deployed nearly 200 nodes, and in the future we will deploy 500 nodes, and the nodes are distributed around the world.

Topic 2 : “Multi-angle data association to get a fuller data soul”

* IPv6 Mapping

ZoomEye is implemented and completed from the domain name → IPv4 → dark net → IPv6 , ZoomEye currently has nearly 100 million IPv6 address libraries, and recently increased by an average of 70,000 per week.

The scanning core framework is based on the Xmap IPv6 version and supports all Xmap IPv4 protocol ports ,An average of about 2 million pieces of data per week, which of course is related to the number of nodes we use.

From the statistics of IPv6 data, IPv6 is mainly concentrated in the United States, Canada, Australia and Russia. In the case of component distribution, IPv6 is currently mainly supported by network devices such as switches and routers.

ZoomEye IPv6 Mapping
ZoomEye IPv6 Devices

Topic 3 : “Honeypot deployment VS Honeypot identification has become the main confrontation in cyberspace mapping”

The cyberspace honeypot is mainly used against botnets, APT, cyberspace mass scanning and other attacks, and is one of the main sources of threat intelligence. Therefore, the more honeypots are deployed, the honeypot identification becomes inevitable.

The first thing we want to emphasize is that “honeypot” is also a kind of “service” or “application”. It has its own specific banner data, so honeypots may be identified. ZoomEye started online honeypot identification data last year (only for VIP users)

According to recent statistics, the amount of data marked as honeypots in ZoomEye is close to 100,000 and is gradually increasing. The port distribution is mainly port:80, port:20000, port:22 . Among them,The port 20000 is commonly used in the DNP3 protocol of industrial equipment.

ZoomEye honeypots
ZoomEye honeypots Ports

Honeypot servers are mainly distributed in the Amazon,OVH

ZoomEye honeypots IDC

Topic 4: “ZoomEye pays attention to all data related to cyberspace mapping”

We welcome all kinds of data cooperation, if you have a good idea, please contact me.