Unicornscan

Unicornscan is designed as a compact enumerator for gathering network and OS information.  It provides the user with the facility to introduce a stimuli against a specific host or network and measure the returned response.  It currently has a number of features, including:

• Asynchronous stateless TCP scanning with all variations of TCP Flags.
• Asynchronous stateless TCP banner grabbing
• Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
• Active and Passive remote OS, application, and component identification by analyzing responses.
• PCAP file logging and filtering
• Relational database output
• Custom module support
• Customized data-set views

Installation

Unicornscan is available from here

rpm -ivh unicornscan-0.4.2-0.i386.rpm

Execution

unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ]

IP_ADDRESS/CIDR_SUBNET_MASK:S-E

Options:

   -b, --broken-crc *[Set broken crc sums on [T]ransport layer,

  [N]etwork layer, or both[TN]]

  -B, --source-port *[Set source port? or whatever the scan module

  expects as a number]

  -d, --delay-type *[Set delay type] Numeric value, valid options

  are:

        1:tsc

        2:gtod

        3:sleep

  -D, --no-defpayload [No default Payload, probe known protocols]

  -e, --enable-module *[enable modules listed as arguments (output

  and report currently)]

  -E, --show-errors [for tracking icmp errors and rst packets]

  -h, --help [help]

  -i, --interface *[interface name, i.e. eth0, not normally required]

  -m, --mode *[scan mode] Options include:

        tcp (syn) scan is default,

        U for udp

        T for tcp

        `sf' for tcp connect scan and

        A for arp

  -M, --module-dir *[default:/usr/local/libexec/unicornscan/modules)]

  -p, --no-patience [No patience, display things as we find them]

  -P, --pcap-filter *[Extra pcap filter string for reciever]

  -q, --covertness *[Covertness value from 0 to 255]

  -r, --pps *[pkts/s (total, not per host, as you go higher it gets

  less accurate)]

  -R, --repeats *[Repeat packet scan N times]

  -s, --source-addr *[Source address for packets `r' for random]

  -S, --no-shuffle [DON'T shuffle ports]

  -t, --ip-ttl *[Set TTL on sent packets]

  -T, --ip-tos *[set TOS on sent packets]

  -w, --safefile *[Write pcap file of recieved packets]

  -W, --fingerprint *[OS fingerprint] Options are:

        0=cisco(def)

        1=openbsd

        2=WindowsXP

        3=p0fsendsyn

        4=FreeBSD

        5=nmap

        6=linux

        7:Crazy lint tcp header (use with p0f hopefully)

  -v, --verbose [verbose (each time more verbose so -vvvvv is really

  verbose!!!!!)]

  -V, --version [Display version]

  -Z, --drone-type *[L or S]

Note:- Using the flags -mT you can also specify tcp flags following the T like -mTsFpU for example that would send tcp syn packets with (NO Syn|FIN|NO Push|URG)

*: Options with `*' require an argument following them

Address ranges are 1.2.3.4/8 for all of 1.?.?.? (if you omit the CIDR mask then the subnet mask of /32 is implied)

Port ranges to be used come in the format 1-4096, for a range, 80 for a single port and "a" for all 65535 TCP ports and "p" for the default port range of 1-1024

Example: unicornscan -i eth1 208.47.125.0/24:1-4000 -pr 160 -E

Basic Example Output:

[root@host ~]# unicornscan 192.168.0.1

Open epmap[ 135] From 192.168.0.1 ttl 128

Open netbios-ssn[ 139] From 192.168.0.1 ttl 128

Open ldap[ 389] From 192.168.0.1 ttl 128

Open microsoft-ds[ 445] From 192.168.0.1 ttl 128

Open blackjack[ 1025] From 192.168.0.1 ttl 128

Open h323hostcall[ 1720] From 192.168.0.1 ttl 128