Unicornscan is an asynchronous TCP and UDP port scanner developed by the late Jack C. Louis. It is an attempt at a User-land Distributed TCP/IP stack, intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include:
- Asynchronous stateless TCP scanning with all variations of TCP Flags.
- Asynchronous stateless TCP banner grabbing
- Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
- Active and Passive remote OS, application, and component identification by analyzing responses.
- PCAP file logging and filtering
- Relational database output
- Custom module support
- Customized data-set views
Packages have been written for Fedora and Slackware. If you have a different distribution, refer to next section, manual installation from sources.
Installation from sources
$ sudo apt-get install postgresql
It will also automatically install following packages:
$ cd /data/src/ $ wget http://easynews.dl.sourceforge.net/sourceforge/libdnet/libdnet-1.11.tar.gz $ tar xzvf libdnet-1.11.tar.gz $ cd libdnet-1.11/ $ ./configure $ make $ sudo make install
It will install:
$ sudo apt-get install libpcap-dev
$ sudo apt-get install libltdl7
Installation of Unicornscan
$ cd /data/src/ $ wget http://unicornscan.org/releases/unicornscan-0.4.7-2.tar.bz2 $ bzip2 -cd unicornscan-0.4.7-2.tar.bz2 | tar xf - $ cd unicornscan-0.4.7/ $ ./configure $ make $ sudo make install
If make command returns an error like this one:
socktrans.c: In function 'socktrans_accept': socktrans.c:192: error: storage size of 'ccred' isn't known make: *** [socktrans.lo] Error 1
Then try this:
$ ./configure CFLAGS=-D_GNU_SOURCE $ make $ sudo make install
$ unicornscan [options] net/mask:IP_start-IP_end
- -b, --broken-crc <layer>
- Break CRC sums on the following layers. N (Network) and T (Transport) are valid, and both may be used without separator, so NT would indicate both Network and Transport layers are to have invalid checksums.
- -B, --source-port <port>
- Source port for sent packets, numeric value -1 means to use a random source port (the default situation), and other valid settings are 0 to 65535.
- Normally this option will not be used, but sometimes it is useful to say scan from port 53 into a network.
- -c, --covertness <level>
- Currently unused
- -d, --delay-type <type>
- (numeric value, valid options are '1:tsc 2:gtod 3:sleep')
- Specify the timer used for pps calculations, the default is variable and will try and use something appropriate for the rate you have selected. Note however, if available, the tsc timer and the gtod timer are very CPU intensive. If you require unicornscan to not monopolize your system while running, consider using the sleep timer, normally 3. it has been observed that the tsc timer and gtod timer are required for high packet rates, however this is highly system dependent, and should be tested on each hardware/platform combination. The tsc timer may not be available on every cpu. The sleep timer module is not recommended for scans where utmost accuracy is required.
- -D, --no-defpayload
- no default Payload, only probe known protocols
- -e, --enable-module <list>
- (pgsqldb, mysqldb, osdetect)
- A comma separated list of modules to activate (note: payload modules do not require explicit activation, as they are enabled by default). An example would be 'pgsqldb,foomod'
- -E, --proc-errors
- Enable processing of errors such as ICMP error messages and TCP reset+ack messages (for example). If this option is set then you will see responses that may or may not indicate the presence of a firewall, or other otherwise missed information.
- -F, --try-frags
- Unused option (fixed value in the program).
- -G, --payload-group <group>
- Payload group (numeric) for tcp/udp type payload selection
- (default: 1)
- -h, --help
- Show help
- -H, --do-dns
- Resolve DNS hostnames before and after the scan (but not during, as that would likely cause superfluous spurious responses during the scan, especially if UDP scanning). The hosts that will be resolved are (in order of resolution) the low and high addresses of the range, and finally each host address that replied with something that would be visible depending on other scan options.
- This option is not recommended for use during scans where utmost accuracy is required.
- -i, --interface <if>
- interface name, like eth0 or fxp1, not normally required
- -I, --immediate
- Display results immediately as they are found in a sort of meta report format (read: terse).
- This option is not recommended for use during scans where the utmost accuracy is required.
- -j, --ignore-seq <type>
- (A: ignore All, R: Reset sequence numbers)
- A string representing the intended sequence ignorance level. This affects the TCP header validity checking, normally used to filter noise from the scan. If for example you wish to see reset packets with an ack+seq that is not set or perhaps intended for something else appropriate use of this option would be R.
- A is normally used for more exotic tcp scanning.
- Normally the R option is associated with reset scanning
- -l, --logfile <file>
- Write to this file not my terminal
- -L, --packet-timeout <sec>
- wait this long for packets to come back (default 7 secs)
- -m, --mode <mode>
- Scan mode, tcp (syn) scan is default, 'U' for udp, 'T' for tcp, 'sf' for tcp connect scan and 'A' for arp. For -mT you can also specify tcp flags following the T like -mTsFpU for example that would send tcp syn packets with (NO Syn|FIN|NO Push|URG)
- -M, --module-dir <dir>
- directory modules are found at (defaults to /usr/local/lib/unicornscan/modules)
- -o, --format <fmt>
- Format of what to display for replies
- Not explained in the man page
- -p, --ports <ports>
- List of ports to scan, if not specified in target options
- -P, --pcap-filter <filter>
- Extra pcap filter string for receiver.
- -Q, --quiet
- Don't use output to screen, its going somewhere else (a database say...).
- -r, --pps <num>
- This is arguably the most important option, it is a numeric option containing the desired packets per second for the sender to use. Choosing a rate too high will cause your scan results to be incomplete. Choosing a rate too low will likely make you feel as though you are using Nmap.
- -R, --repeats <times>
- The number of times to completely repeat the senders workload. This option is intended to improve accuracy during critical scans, or with scans going over a highly unreliable network.
- -s, --source-addr <src>
- (source address, 'r' for random)
- The address to use to override the listeners default interfaces address. Using this option often necessitates using the helper program fantaip(1) to make sure the replies are routed back to the interface the listener has open.
- -S, --no-shuffle
- Do not shuffle ports
- -t, --ip-ttl <num>
- Set TTL on sent packets as in 62 or 6-16 or r64-128
- -T, --ip-tos <num>
- Set TOS on sent packets
- -u, --debug <mask>
- Debug mask
- Unspecified in the manual
- -U, --no-openclosed
- Don't say open or closed
- Unspecified in the manual
- -v, --verbose
- Verbose (each time more verbose so -vvvvv is really verbose)
- -V, --version
- Display version
- -w, --safefile <pcap>
- Write pcap file of received packets
- -W, --fingerprint <num>
- OS fingerprint
- -z, --sniff
- Sniff alike
- -Z, --drone-str <str>
- Drone String
$ sudo unicornscan -msf -s 192.168.100.18 -r 10 -Iv 192.168.100.1:80,8080,22,443,21 adding 192.168.100.1/32 mode 'TCPscan' ports '80,8080,22,443,21' pps 10 using interface(s) wlan0 scaning 1.00e+00 total hosts with 5.00e+00 total packets, should take a little longer than 7 Seconds connected 192.168.100.18:24482 -> 192.168.100.1:8080 TCP open 192.168.100.1:8080 ttl 64 connected 192.168.100.18:51297 -> 192.168.100.1:80 TCP open 192.168.100.1:80 ttl 64 connected 192.168.100.18:23150 -> 192.168.100.1:22 TCP open 192.168.100.1:22 ttl 64 sender statistics 10.0 pps with 5 packets sent total listener statistics 131 packets recieved 0 packets droped and 0 interface drops TCP open ssh[ 22] from 192.168.100.1 ttl 64 TCP open http[ 80] from 192.168.100.1 ttl 64 TCP open http-alt[ 8080] from 192.168.100.1 ttl 64