From aldeid
Jump to navigation Jump to search


Unicornscan is an asynchronous TCP and UDP port scanner developed by the late Jack C. Louis. It is an attempt at a User-land Distributed TCP/IP stack, intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include:

  • Asynchronous stateless TCP scanning with all variations of TCP Flags.
  • Asynchronous stateless TCP banner grabbing
  • Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
  • Active and Passive remote OS, application, and component identification by analyzing responses.
  • PCAP file logging and filtering
  • Relational database output
  • Custom module support
  • Customized data-set views


From package

Packages have been written for Fedora and Slackware. If you have a different distribution, refer to next section, manual installation from sources.

Installation from sources



$ sudo apt-get install postgresql

It will also automatically install following packages:

  • libpq5
  • postgresql-8.4
  • postgresql-client-8.4
  • postgresql-client-common
  • postgresql-common


$ cd /data/src/
$ wget http://easynews.dl.sourceforge.net/sourceforge/libdnet/libdnet-1.11.tar.gz
$ tar xzvf libdnet-1.11.tar.gz
$ cd libdnet-1.11/
$ ./configure
$ make
$ sudo make install

It will install:

  • /usr/local/lib/libdnet.1.0.1
  • /usr/local/lib/libdnet.1
  • /usr/local/lib/libdnet
  • /usr/local/lib/libdnet.a
  • /usr/local/lib/libdnet.la


$ sudo apt-get install libpcap-dev


Following command:

$ sudo apt-get install libltdl7


  • /usr/lib/libltdl.so.7
  • /usr/lib/libltdl.so.7.2.1
  • /usr/share/doc/libltdl7

Installation of Unicornscan

$ cd /data/src/
$ wget http://unicornscan.org/releases/unicornscan-0.4.7-2.tar.bz2
$ bzip2 -cd unicornscan-0.4.7-2.tar.bz2 | tar xf -
$ cd unicornscan-0.4.7/
$ ./configure
$ make
$ sudo make install

If make command returns an error like this one:

socktrans.c: In function 'socktrans_accept':
socktrans.c:192: error: storage size of 'ccred' isn't known
make[2]: *** [socktrans.lo] Error 1

Then try this:

$ ./configure CFLAGS=-D_GNU_SOURCE
$ make
$ sudo make install


Basic syntax

$ unicornscan [options] net/mask:IP_start-IP_end
If you omit the cidr mask then /32 is implied.


-b, --broken-crc <layer>
Break CRC sums on the following layers. N (Network) and T (Transport) are valid, and both may be used without separator, so NT would indicate both Network and Transport layers are to have invalid checksums.
-B, --source-port <port>
Source port for sent packets, numeric value -1 means to use a random source port (the default situation), and other valid settings are 0 to 65535.
Normally this option will not be used, but sometimes it is useful to say scan from port 53 into a network.
-c, --covertness <level>
Currently unused
-d, --delay-type <type>
(numeric value, valid options are '1:tsc 2:gtod 3:sleep')
Specify the timer used for pps calculations, the default is variable and will try and use something appropriate for the rate you have selected. Note however, if available, the tsc timer and the gtod timer are very CPU intensive. If you require unicornscan to not monopolize your system while running, consider using the sleep timer, normally 3. it has been observed that the tsc timer and gtod timer are required for high packet rates, however this is highly system dependent, and should be tested on each hardware/platform combination. The tsc timer may not be available on every cpu. The sleep timer module is not recommended for scans where utmost accuracy is required.
-D, --no-defpayload
no default Payload, only probe known protocols
-e, --enable-module <list>
(pgsqldb, mysqldb, osdetect)
A comma separated list of modules to activate (note: payload modules do not require explicit activation, as they are enabled by default). An example would be 'pgsqldb,foomod'
-E, --proc-errors
Enable processing of errors such as ICMP error messages and TCP reset+ack messages (for example). If this option is set then you will see responses that may or may not indicate the presence of a firewall, or other otherwise missed information.
-F, --try-frags
Unused option (fixed value in the program).
-G, --payload-group <group>
Payload group (numeric) for tcp/udp type payload selection
(default: 1)
-h, --help
Show help
-H, --do-dns
Resolve DNS hostnames before and after the scan (but not during, as that would likely cause superfluous spurious responses during the scan, especially if UDP scanning). The hosts that will be resolved are (in order of resolution) the low and high addresses of the range, and finally each host address that replied with something that would be visible depending on other scan options.
This option is not recommended for use during scans where utmost accuracy is required.
-i, --interface <if>
interface name, like eth0 or fxp1, not normally required
-I, --immediate
Display results immediately as they are found in a sort of meta report format (read: terse).
This option is not recommended for use during scans where the utmost accuracy is required.
-j, --ignore-seq <type>
(A: ignore All, R: Reset sequence numbers)
A string representing the intended sequence ignorance level. This affects the TCP header validity checking, normally used to filter noise from the scan. If for example you wish to see reset packets with an ack+seq that is not set or perhaps intended for something else appropriate use of this option would be R.
A is normally used for more exotic tcp scanning.
Normally the R option is associated with reset scanning
-l, --logfile <file>
Write to this file not my terminal
-L, --packet-timeout <sec>
wait this long for packets to come back (default 7 secs)
-m, --mode <mode>
Scan mode, tcp (syn) scan is default, 'U' for udp, 'T' for tcp, 'sf' for tcp connect scan and 'A' for arp. For -mT you can also specify tcp flags following the T like -mTsFpU for example that would send tcp syn packets with (NO Syn|FIN|NO Push|URG)
-M, --module-dir <dir>
directory modules are found at (defaults to /usr/local/lib/unicornscan/modules)
-o, --format <fmt>
Format of what to display for replies
Not explained in the man page
-p, --ports <ports>
List of ports to scan, if not specified in target options
-P, --pcap-filter <filter>
Extra pcap filter string for receiver.
-Q, --quiet
Don't use output to screen, its going somewhere else (a database say...).
-r, --pps <num>
This is arguably the most important option, it is a numeric option containing the desired packets per second for the sender to use. Choosing a rate too high will cause your scan results to be incomplete. Choosing a rate too low will likely make you feel as though you are using Nmap.
-R, --repeats <times>
The number of times to completely repeat the senders workload. This option is intended to improve accuracy during critical scans, or with scans going over a highly unreliable network.
-s, --source-addr <src>
(source address, 'r' for random)
The address to use to override the listeners default interfaces address. Using this option often necessitates using the helper program fantaip(1) to make sure the replies are routed back to the interface the listener has open.
-S, --no-shuffle
Do not shuffle ports
-t, --ip-ttl <num>
Set TTL on sent packets as in 62 or 6-16 or r64-128
-T, --ip-tos <num>
Set TOS on sent packets
-u, --debug <mask>
Debug mask
Unspecified in the manual
-U, --no-openclosed
Don't say open or closed
Unspecified in the manual
-v, --verbose
Verbose (each time more verbose so -vvvvv is really verbose)
-V, --version
Display version
-w, --safefile <pcap>
Write pcap file of received packets
-W, --fingerprint <num>
OS fingerprint
  • 0=cisco(def)
  • 1=openbsd
  • 2=WindowsXP
  • 3=p0fsendsyn
  • 4=FreeBSD
  • 5=nmap
  • 6=linux
  • 7:strangetcp
-z, --sniff
Sniff alike
-Z, --drone-str <str>
Drone String


$ sudo unicornscan -msf -s -r 10 -Iv,8080,22,443,21
adding mode 'TCPscan' ports '80,8080,22,443,21' pps 10
using interface(s) wlan0
scaning 1.00e+00 total hosts with 5.00e+00 total packets, should take a little longer than 7 Seconds
connected ->
TCP open  ttl 64
connected ->
TCP open  ttl 64
connected ->
TCP open  ttl 64
sender statistics 10.0 pps with 5 packets sent total
listener statistics 131 packets recieved 0 packets droped and 0 interface drops
TCP open                     ssh[   22]         from  ttl 64 
TCP open                    http[   80]         from  ttl 64 
TCP open                http-alt[ 8080]         from  ttl 64