1UNICORNSCAN(1) Network Tools UNICORNSCAN(1)
2
6 unicornscan Version 0.4.6b is a asynchronous network stimulus deliv‐
7 ery/response recoring tool.
8
10 unicornscan [-b, --broken-crc layer] [-B, --source-port port] [-d,
11 --delay-type type] [-D, --no-defpayload ] [-e, --enable-module modules]
12 [-E, --proc-errors ] [-F, --try-frags ] [-G, --payload-group group]
13 [-h, --help ] [-H, --do-dns ] [-i, --interface interface] [-I, --imme‐
14 diate ] [-j, --ignore-seq ignore] [-l, --logfile file] [-L,
15 --packet-timeoutdelay] [-m, --mode mode] [-M, --module-dir directory]
16 [-p, --ports string] [-P, --pcap-filter filter] [-q, --covertness
17 covertness] [-Q, --quiet ] [-r, --pps rate] [-R, --repeats repeats]
18 [-s, --source-addr address] [-S, --no-shuffle ] [-t, --ip-ttl TTL] [-T,
19 --ip-tos TOS] [-w, --safefile file] [-W, --fingerprint fingerprint]
20 [-v, --verbose ] [-V, --version ] [-z, --sniff ] [-Z, --drone-type
21 type] target list
22
24 unicornscan: ...
25
27 [-b, --broken-crc Layer]
28 Break CRC sums on the following layers. N and T are valid, and
29 both may be used without separator, so NT would indicate both
30 Network and Transport layers are to have invalid checksums.
31 [-B, --source-port Port]
33 Source port for sent packets, numeric value -1 means to use a
34 random source port (the default situation), and other valid set‐
35 tings are 0 to 65535. normally this option will not be used, but
36 sometimes it is useful to say scan from port 53 into a network.
37 [-d, --delay-type Type]
39 Specify the timer used for pps calculations, the default is
40 variable and will try and use something appropriate for the rate
41 you have selected. Note however, if available, the tsc timer and
42 the gtod timer are very CPU intensive. if you require unicorn‐
43 scan to not monopolize your system while running, consider using
44 the sleep timer, normally 3. it has been observed that the tsc
45 timer and gtod timer are required for high packet rates, however
46 this is highly system dependent, and should be tested on each
47 hardware/platform combination. The tsc timer may not be avail‐
48 able on every cpu. The sleep timer module is not recommended for
49 scans where utmost accuracy is required.
50 [-D, --no-defpayload ]
52 Do not use default payloads when one cannot be found.
53 [-e, --enable-module List]
55 A comma separated list of modules to activate (note: payload
56 modules do not require explicit activation, as they are enabled
57 by default). an example would be `pgsqldb,foomod'.
58 [-E, --proc-errors ]
60 Enable processing of errors such as icmp error messages and
61 reset+ack messages (for example). If this option is set then you
62 will see responses that may or may not indicate the presence of
63 a firewall, or other otherwise missed information.
64 [-F, --try-frags ]
66 It is likely that this option doesn't work, don't bother using
67 it until it is fixed.
68 [-G, --payload-group Group]
70 activate payloads only from this numeric payload group. The
71 default payload group is 1.
72 [-h, --help ]
74 if you don't know what this means, perhaps you should consider
75 not using this program.
76 [-H, --do-dns ]
78 Resolve dns hostnames before and after the scan (but not dur‐
79 ing, as that would likely cause superfluous spurious responses
80 during the scan, especially if udp scanning). the hosts that
81 will be resolved are (in order of resolution) the low and high
82 addresses of the range, and finally each host address that
83 replied with something that would be visible depending on other
84 scan options. This option is not recommended for use during
85 scans where utmost accuracy is required.
86 [-i, --interface Interface]
88 string representation of the interface to use, overriding auto‐
89 matic detection.
90 [-I, --immediate ]
92 Display results immediately as they are found in a sort of meta
93 report format (read: terse). This option is not recommended for
94 use during scans where the utmost accuracy is required.
95 [-j, --ignore-seq Type]
97 A string representing the intended sequence ignorance level.
98 This affects the tcp header validity checking, normally used to
99 filter noise from the scan. If for example you wish to see reset
100 packets with an ack+seq that is not set or perhaps intended for
101 something else appropriate use of this option would be R. A is
102 normally used for more exotic tcp scanning. normally the R
103 option is associated with reset scanning.
104 [-l, --logfile File]
106 Path to a file where flat text will be dumped that normally
107 would go to the users terminal. A limitation of this option cur‐
108 rently is that it only logs the output of the `Main' thread and
109 not the sender and receiver.
110 [-L, --packet-timeout Seconds]
112 Numeric value representing the number of seconds to wait before
113 declaring the scan over. for connect scans sometimes this option
114 can be adjusted to get more accurate results, or if scanning a
115 high-latency target network; for example.
116 [-m, --mode Mode]
118 String representation of the desired scanning mode. Correct
119 usage includes U, T, A and sf for Udp scanning, Tcp scanning,
120 Arp scanning, and Tcp Connect scanning respectively.
121 [-M, --module-dir Directory]
123 Path to a directory containing shared object `modules' for uni‐
124 cornscan to search.
125 [-p, --ports Ports]
127 A global list of ports to scan, can be overridden in the target
128 specification on a per target basis.
129 [-P, --pcap-filter Filter]
131 A pcap filter string to add to the listeners default pcap fil‐
132 ter (that will be associated with the scan mode being used).
133 [-c, --covertness Level]
135 Numeric option that currently does nothing, except look cool.
136 [-Q, --quiet ]
138 This option is intended to make unicornscan play the `quiet
139 game'. If you are unfamiliar with its rules, consult with some‐
140 one else who finds you irritating.
141 [-r, --pps Rate]
143 This is arguably the most important option, it is a numeric
144 option containing the desired packets per second for the sender
145 to use. choosing a rate too high will cause your scan results to
146 be incomplete. choosing a rate too low will likely make you feel
147 as though you are using nmap.
148 [-R, --repeats Times]
150 The number of times to completely repeat the senders workload,
151 this option is intended to improve accuracy during critical
152 scans, or with scans going over a highly unreliable network.
153 [-s, --source-addr Address]
155 The address to use to override the listeners default interfaces
156 address. using this option often necessitates using the helper
157 program fantaip(1) to make sure the replies are routed back to
158 the interface the listener has open.
159 [-S, --no-shuffle ]
161 ..
162 [-t, --ip-ttl Number]
164 ..
165 [-T, --ip-tos Number]
167 ..
168 [-w, --savefile File]
170 ..
171 [-W, --fingerprint Type]
173 ..
174 [-v, --verbose ]
176 ..
177 [-V, --version ]
179 ..
180 [-z, --sniff ]
182 ..
183 [-Z, --drone-type Type]
185 ..
186
188 unicornscan -msf -s 5.4.3.2 -r 340 -Iv -epgsqldb
189 www.domain.tld/21:80,8080,443,81 runs unicornscan in connect mode with
190 an apparent (to the target) source address of 5.4.3.2 at a rate of 340
191 packets per second. results will be displayed as they are found -I and
192 the output will be verbose -v. The module `pgsqldb' will be activated
193 -epgsqldb and the target of this scan will be the /21 network that host
194 www.domain.tld belongs to making attempts to connect to port 80, 8080,
195 443 and 81.
196
198 unicorn.conf
199 The file containing the default configuration options for
200 usage.
201 modules.conf
203 The default file for module parameters.
204 oui.txt
206 Contains the MAC prefix to vendor mapping used in Ethernet
207 scanning.
208 payloads.conf
210 The default file for tcp and udp payloads.
211 ports.txt
213 The protocol/port number to name mapping.
214
216 fantaip(1) unicfgtst(1) unicycle(1) unibrow(1) unicorn.conf(5)
217
219 Report Bugs to osace-users@lists.sourceforge.net
220
222 (C)2004 Jack Louis jack@rapturesecurity.org This is free software; see
223 the source for copying conditions. There is NO warranty; not even for
224 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
225Network Tools 03/30/05 UNICORNSCAN(1)