Scanrand is extremely quick and
effective port scanner. It works by forking two distinct
- One to send
the initial queries,
- One to receive
responses and reconcile them from the above.
Scanrand comes as part of the
paketto suite of tools and is available from Dan Kaminsky's
Note:- Install the provided
Installation is by means of
the usual ./configure, make
and make install
process, however I found that with
installing on both Fedora Core 1 (within VMWare) and Fedora Core 4 that errors
were encountered. These were fixed as follows:
Fedora Core 1:
the following lines cause an
error as only the first has been commented, either comment them all or issue
the command 4dd in the vi editor to
delete them all
couldn't find the system macro _IOW on your machine...if you run find /usr/include
| xargs grep _IOW and find
some file other than sys/sockio.h containing the macro, firstname.lastname@example.org
and I'll get it in the next build."
Strangely a different error? A number of files report
errors on the configure process including
paketto.c, lc.c, minewt.c and
paketto.c:112: error: invalid lvalue in assignment
paketto.c:121: error: invalid lvalue in assignment
paketto.c:136: error: invalid lvalue in assignment
paketto.c:137: error: invalid lvalue in assignment
paketto.c:167: error: invalid lvalue in assignment
paketto.c:173: error: invalid lvalue in assignment
paketto.c:179: error: invalid lvalue in assignment
paketto.c:320: error: invalid lvalue in assignment
paketto.c:337: error: invalid lvalue in assignment
minewt.c:602: error: invalid lvalue in assignment
scanutil.c: In function bake_syncookie:
scanutil.c:13: error: invalid lvalue in assignment
scanutil.c:14: error: invalid lvalue in assignment
scanutil.c: In function munch_syncookie:
scanutil.c:42: error: invalid lvalue in assignment
scanutil.c:43: error: invalid lvalue in assignment
scanutil.c: In function build_generic_syn:
scanutil.c:255: warning: assignment from incompatible pointer type
scanutil.c:264: error: invalid lvalue in assignment
scanutil.c:279: error: invalid lvalue in assignment
lc.c: In function main:
lc.c:193: error: invalid lvalue in assignment
lc.c:226: error: invalid lvalue in assignment
lc.c:247: error: invalid lvalue in assignment
The problem lies in the
fact that the (char *)
((void *) in lc.c)
variable has been declared both sides and the first such reference to this
needs to be
*)x->eth = (char *)packet;
needs to be edited to:
(char *)packet; and
*)x->arp = (char *)x->eth + LIBNET_ETH_H;
needs to be edited to:
(char *)x->eth + LIBNET_ETH_H;
There are quite a few of these
changes to be made but once done should then compile straightforwardly.
Look for the error messages lvalue
and assignment and record the line numbers outputted. It is on these lines that you
must remove the duplicate variables.
Scanrand implements numerous options; reasonable defaults are selected when
no specific guidance is received from the user. The only thing mandated is a
target destination, which may be specified using either a FQDN(Fully Qualified
Domain Name) or a numeric specification. These numerics may employ any
of dashes, commas, or combination thereof at the same time. For example, scanrand 10.0.1-255.1-10,20:80,137-139 works fine. More ports will
by default when scanning a single host than when scanning a network. Scanrand is able to estimate remote hopcount by examining incoming
Only send requests, do not listen for their responses.
Only listen for responses, do not actually send the matching requests. There's nothing that forces the sender and receiver to be the same host -- in fact, split operation is explicitly supported.
Show responses from hosts that are up but aren't accepting connections to the requested port.
*ONLY* show responses from hosts that are up but aren't accepting connections to the requested port -- do not display ports that are up.
[number of seconds]
Set maximum number of seconds that may pass before listening process gives up on receiving any more responses. This timer is reset with every good response, whether the port is up or down.
Limit the amount of bandwidth that scanrand may use for its outgoing requests. -b 100k would limit said bandwidth to 100kbyte/s. Note, since outgoing SYN frames constitute only 64 bytes on the wire, very little bandwidth can go very, very far. The bandwidth value of 0 -- set by default -- corresponds to no bandwidth limitation.
Use Reverse-DNS to determine a DNS host name that matches the source of a detected packet.
Use Reverse-DNS to determine a DNS host name that matches the intended destination of a given packet.
Verbosity Level 1: Mark the sending of packets.
Verbosity Level 2: Output all interpreted TCP and IP headers. ADDRESSING
Use this Layer 2 Device for all traffic.
Use this Layer 3 Source IP address for all traffic.
Use this Layer 4 TCP Source Port for all direct traffic. TCP Traceroute will use this port as a basis for its activity, but will vary its actual selected port by up to 255.
Use this value as a cryptographic seed for authenticating incoming packets. This value is normally generated automatically, but needs to be manually specified and synchronized when splitting the sender and receiver processes across invocations, hosts, and possibly entire networks. It is highly advised not to repeat the same seed for two separate scans; spoofing responses becomes much easier given that circumstance.
Read list of targets from a file. Syntax follows whatever is accepted on the command line.
Stateless TCP Tracerouting -- instead of just iterating across ports and hosts, we're iterating across network hops and reconstructing the network based on the ICMP errors (with original copies of our IP and first 8 bytes of TCP. May function in tandem with standard host/port lists. Specify minimum and maximum hop-distance you want to map, as in scanrand -l1-20 www.foobar.com
Verify Inverse SYN Cookies in returned ICMP errors. Not enabled by default.
Actively discover distance to target host. This is done by sending it an invalid ACK, which immediately forces a TCP RST. It turns out that lots of systems (including Minewt, oops) attempting to return replies as fast as possible will use the incoming packet as a prototype for the response, flipping only those fields that absolutely need to be. This doesn't include TTL...so what happens is, we send out our ACK probe with a TTL of around 180. No normal host will ever have a TTL in that range, and no normal network will hop down from the 255's into there. Now, we can look at returned RST's, see the TTL in the impossible range, and know that we caused it. Divide by two to get the average distance (between getting there and getting back, usually identical but not always due to asymmetric routing). "Distco mode" is flexible enough to handle when TTL's *are* handled correctly, and in at least one case, will determine hopcounts through firewalls that otherwise try to scrub the TTL back up to 64. On the flip side, at least one PIX likes to respond to an ACK with a locally produced RST|ACK, for some unimaginable reason. Great way to find out if you're behind a PIX, but it kills Distco dead (sort of like the 80's). PORT SELECTION Instead of using a comma/dash notated port range, like "80,20-25", several default port ranges have been precompiled into scanrand. They are:
Quick scanning hits the top one or two dozen TCP service ports that are often enabled on a given server. This translates directly to: 80,443,445,53,20-23,25,135,139,8080, 110,111,143,1025,5000,465,993,31337, 79,8010,8000,6667,2049,3306 This is the default scan mode when scanning a single host. When multiple hosts are scanned, scanrand automatically defaults to scan only port 80 (HTTP).
Super-Quick scanning hits the top five or six TCP service ports that are very often enabled on a given server. This translates directly to: 80,443,139,21,22,23
Known Port Scanning uses IANA's list of TCP port numbers, as well as any other port numbers observed by Fyodor of the nmap project, to select 1150 ports from the 65K possible to scan. This is equivalent to the nmap "fast scan" option.
Scans all ports -- 0(which is a valid port!) to 65535.
Simple Sample Output:
~]# scanrand 192.168.0.1:all
192.168.0.1:135  0.112s
192.168.0.1:139  0.112s
192.168.0.1:389  0.151s
192.168.0.1:445  0.155s
192.168.0.1:1025  0.898s
192.168.0.1:1026  0.899s
192.168.0.1:1720  0.955s
192.168.0.1:3002  1.026s
192.168.0.1:47624  14.983s
These open ports can then be mapped to various
services, obviously from the ports open we are looking at a Microsoft Windows
host with 135,139 and 445 open. From a pen testers perspective now,
the services running on the other ports may be of interest.
IT Security News:
Pen Testing Framework:
Latest Tool Reviews: