The Web Local





Scanrand is extremely quick and effective port scanner.   It works by forking two distinct processes:


  •     One to send the initial queries,
  •     One to receive responses and reconcile them from the above.  




Scanrand comes as part of the paketto suite of tools and is available from Dan Kaminsky's site.


Note:- Install the provided libnet,libtomcrypt and libpcap tarballs first

Installation is by means of the usual ./configure, make and make install process, however I found that with installing on both Fedora Core 1 (within VMWare) and Fedora Core 4 that errors were encountered.  These were fixed as follows:


Fedora Core 1:


paketto.h the following lines cause an error as only the first has been commented, either comment them all or issue the command 4dd in the vi editor to delete them all


#error "We couldn't find the system macro _IOW on your machine...if you run find /usr/include | xargs grep _IOW and find some file other than sys/sockio.h containing the macro, and I'll get it in the next build."


Fedora Core 4-6:

Strangely a different error?  A number of files report errors on the configure process including paketto.c, lc.c, minewt.c and scanutil.c


paketto.c:112: error: invalid lvalue in assignment
paketto.c:121: error: invalid lvalue in assignment
paketto.c:136: error: invalid lvalue in assignment
paketto.c:137: error: invalid lvalue in assignment
paketto.c:167: error: invalid lvalue in assignment
paketto.c:173: error: invalid lvalue in assignment
paketto.c:179: error: invalid lvalue in assignment
paketto.c:320: error: invalid lvalue in assignment
paketto.c:337: error: invalid lvalue in assignment

minewt.c:602: error: invalid lvalue in assignment

scanutil.c: In function bake_syncookie:
scanutil.c:13: error: invalid lvalue in assignment
scanutil.c:14: error: invalid lvalue in assignment
scanutil.c: In function munch_syncookie:
scanutil.c:42: error: invalid lvalue in assignment
scanutil.c:43: error: invalid lvalue in assignment
scanutil.c: In function build_generic_syn:
scanutil.c:255: warning: assignment from incompatible pointer type
scanutil.c:264: error: invalid lvalue in assignment
scanutil.c:279: error: invalid lvalue in assignment

lc.c: In function main:
lc.c:193: error: invalid lvalue in assignment
lc.c:226: error: invalid lvalue in assignment
lc.c:247: error: invalid lvalue in assignment


The problem lies in the fact that the (char *) ((void *) in lc.c) variable has been declared both sides and the first such reference to this needs to be removed i.e.


(char *)x->eth = (char *)packet;  needs to be edited to:

x->eth = (char *)packet; and


(char *)x->arp = (char *)x->eth + LIBNET_ETH_H; needs to be edited to:

x->arp = (char *)x->eth + LIBNET_ETH_H; etc. 


There are quite a few of these changes to be made but once done should then compile straightforwardly.  Look for the error messages lvalue and assignment and record the line numbers outputted.  It is on these lines that you must remove the duplicate variables.




Scanrand implements numerous options; reasonable defaults are selected when no specific guidance is received from the user.  The only thing mandated is a target destination, which may be specified using either a FQDN(Fully Qualified Domain Name) or a numeric specification.  These numerics may employ any number of dashes, commas, or combination thereof at the same time.  For example, scanrand 10.0.1-255.1-10,20:80,137-139 works fine.  More ports will be scanned by default when scanning a single host than when scanning a network. Scanrand is able to estimate remote hopcount by examining incoming TTLs.




Only send requests, do not listen for their responses.



Only listen for responses, do not actually send the matching requests. There's nothing that forces the sender and receiver to be the same host -- in fact, split operation is explicitly supported.



Show responses from hosts that are up but aren't accepting connections to the requested port.



*ONLY* show responses from hosts that are up but aren't accepting connections to the requested port -- do not display ports that are up.


[number of seconds]

Set maximum number of seconds that may pass before listening process gives up on receiving any more responses.  This timer is reset with every good response, whether the port is up or down.




Limit the amount of bandwidth that scanrand may use for its outgoing requests. -b 100k would limit said bandwidth to 100kbyte/s.  Note, since outgoing SYN frames constitute only 64 bytes on the wire, very little bandwidth can go very, very far.  The bandwidth value of 0 -- set by default -- corresponds to no bandwidth limitation.



Use Reverse-DNS to determine a DNS host name that matches the source of a detected packet.



Use Reverse-DNS to determine a DNS host name that matches the intended destination of a given packet.



Verbosity Level 1:  Mark the sending of packets.



Verbosity Level 2:  Output all interpreted TCP and IP headers. ADDRESSING



Use this Layer 2 Device for all traffic.


<IP Address>

Use this Layer 3 Source IP address for all traffic.



Use this Layer 4 TCP Source Port for all direct traffic.   TCP Traceroute will use this port as a basis for its activity, but will vary its actual selected port by up to 255.



 Use this value as a cryptographic seed for authenticating incoming packets. This value is normally generated automatically, but needs to be manually specified and synchronized when splitting the sender and receiver processes across invocations, hosts, and possibly entire networks. It is highly advised not to repeat the same seed for two separate scans; spoofing responses becomes much easier given that circumstance.



Read list of targets from a file.  Syntax follows whatever is accepted on the command line.



 Stateless TCP Tracerouting -- instead of just iterating across ports and hosts, we're iterating across network hops and reconstructing the network based on the ICMP errors (with original copies of our IP and first 8 bytes of TCP.  May function in tandem with standard host/port lists.  Specify minimum and maximum hop-distance you want to map, as in scanrand -l1-20



Verify Inverse SYN Cookies in returned ICMP errors.  Not enabled by default.



Actively discover distance to target host.  This is done by sending it an invalid ACK, which immediately forces a TCP RST.  It turns out that lots of systems (including Minewt, oops) attempting to return replies as fast as possible will use the incoming packet as a prototype for the response, flipping only those fields that absolutely need to be.  This doesn't include what happens is, we send out our ACK probe with a TTL of around 180.  No normal host will ever have a TTL in that range, and no normal network will hop down from the 255's into there.  Now, we can look at returned RST's, see the TTL in the impossible range, and know that we caused it.  Divide by two to get the average distance (between getting there and getting back, usually identical but not always due to asymmetric routing).  "Distco mode" is flexible enough to handle when TTL's *are* handled correctly, and in at least one case, will determine hopcounts through firewalls that otherwise try to scrub the TTL back up to 64.  On the flip side, at least one PIX likes to respond to an ACK with a locally produced RST|ACK, for some unimaginable reason.  Great way to find out if you're behind a PIX, but it kills Distco dead (sort of like the 80's). PORT SELECTION Instead of using a comma/dash notated port range, like "80,20-25", several default port ranges have been precompiled into scanrand.  They are:



Quick scanning hits the top one or two dozen TCP service ports that are often enabled on a given server.  This translates directly to: 80,443,445,53,20-23,25,135,139,8080, 110,111,143,1025,5000,465,993,31337, 79,8010,8000,6667,2049,3306 This is the default scan mode when scanning a single host.  When multiple hosts are scanned, scanrand automatically defaults to scan only port 80 (HTTP).



Super-Quick scanning hits the top five or six TCP service ports that are very often enabled on a given server.  This translates directly to: 80,443,139,21,22,23



Known Port Scanning uses IANA's list of TCP port numbers, as well as any other port numbers observed by Fyodor of the nmap project, to select 1150 ports from the 65K possible to scan.  This is equivalent to the nmap "fast scan" option.



Scans all ports -- 0(which is a valid port!) to 65535.



Simple Sample Output:


root@host ~]# scanrand

UP: [01] 0.112s

UP: [01] 0.112s

UP: [01] 0.151s

UP: [01] 0.155s

UP: [01] 0.898s

UP: [01] 0.899s

UP: [01] 0.955s

UP: [01] 1.026s

UP: [01] 14.983s


These open ports can then be mapped to various services, obviously from the ports open we are looking at a Microsoft Windows host with 135,139 and 445 open.  From a pen testers perspective now, the services running on the other ports may be of interest.



IT Security News:


Pen Testing Framework:


Latest Tool Reviews: