bash-2.05a# scanrand Destination required. scanrand 1.0: Stateless TCP Scanner w/ Inverse SYN Cookies(HMAC-SHA1/32 in SEQ) Component of: Paketto Keiretsu 1.0; Dan Kaminsky (dan@doxpara.com) Example: scanrand -b10M 10.0.1.1-254:80,20-25,139 Def. Ports: Use [quick/squick/known/all] instead of explicitly naming ports Options: -S/-L: Only send requests / Only listen for responses -e/-E: Show negative responses / Only show negative responses -t [timeout]: Wait n full seconds for the last response (10s) -b[bandwidth]: Limit bandwidth consumption to n b/k/m/g bytes(0) (0 supresses timeouts or maximizes bw utilization) -N/-NN : Enable name resolution (Prefer Source/Dest) -v : Mark packets being sent, as well as received -vv : Output full packet traces to stderr Addressing: -d [device]: Send requests from this L2 hardware device -i [source]: Send requests from this L3 IP address -p [ port]: Send requests from this L4 TCP Port -s [ seed]: Use prespecified seed for scan verification -f [ file]: Read list of targets from file Experiments: -l [ttl-ttl]: Statelessly TCP Traceroute -c : Try checking Inverse SYN Cookie on Traceroute Notes: Use Control-C to exit before scanrand times out. Be sure to use a longer timeout for slow scans! [n]: estimated network distance from target host. Be careful about available bandwidth -- use -b! # Quick scan of local network bash-2.05a# scanrand 10.0.1.1-254:quick UP: 10.0.1.38:80 [01] 0.003s UP: 10.0.1.110:443 [01] 0.017s UP: 10.0.1.254:443 [01] 0.021s UP: 10.0.1.57:445 [01] 0.024s UP: 10.0.1.59:445 [01] 0.024s UP: 10.0.1.38:22 [01] 0.047s UP: 10.0.1.110:22 [01] 0.058s UP: 10.0.1.110:23 [01] 0.058s UP: 10.0.1.254:22 [01] 0.077s UP: 10.0.1.254:23 [01] 0.077s UP: 10.0.1.25:135 [01] 0.088s UP: 10.0.1.57:135 [01] 0.089s UP: 10.0.1.59:135 [01] 0.090s UP: 10.0.1.25:139 [01] 0.097s UP: 10.0.1.27:139 [01] 0.098s UP: 10.0.1.57:139 [01] 0.099s UP: 10.0.1.59:139 [01] 0.099s UP: 10.0.1.38:111 [01] 0.127s UP: 10.0.1.57:1025 [01] 0.147s UP: 10.0.1.59:1025 [01] 0.147s UP: 10.0.1.57:5000 [01] 0.156s UP: 10.0.1.59:5000 [01] 0.157s UP: 10.0.1.53:111 [01] 0.182s # Quick scan of Slashdot. Hmm, bout 12 hops away? bash-2.05a# scanrand www.slashdot.org UP: 66.35.250.150:80 [12] 0.017s UP: 66.35.250.150:443 [12] 0.018s # Lets check that...ah. 13. Have to slow down to 2mbit. bash-2.05a# scanrand -b2m -l1-13 www.slashdot.org 002 = 63.251.53.219|80 [02] 0.018s( 10.0.1.11 -> 66.35.250.150 ) 001 = 64.81.64.1|80 [01] 0.031s( 10.0.1.11 -> 66.35.250.150 ) 003 = 63.251.63.79|80 [03] 0.044s( 10.0.1.11 -> 66.35.250.150 ) 004 = 63.211.143.17|80 [04] 0.066s( 10.0.1.11 -> 66.35.250.150 ) 005 = 209.244.14.193|80 [05] 0.084s( 10.0.1.11 -> 66.35.250.150 ) 006 = 208.172.147.201|80 [08] 0.099s( 10.0.1.11 -> 66.35.250.150 ) 007 = 208.172.146.104|80 [06] 0.119s( 10.0.1.11 -> 66.35.250.150 ) 008 = 208.172.156.157|80 [08] 0.140s( 10.0.1.11 -> 66.35.250.150 ) 009 = 208.172.156.198|80 [08] 0.167s( 10.0.1.11 -> 66.35.250.150 ) 010 = 66.35.194.196|80 [09] 0.187s( 10.0.1.11 -> 66.35.250.150 ) 011 = 66.35.194.58|80 [09] 0.208s( 10.0.1.11 -> 66.35.250.150 ) 012 = 66.35.212.174|80 [10] 0.229s( 10.0.1.11 -> 66.35.250.150 ) UP: 66.35.250.150:80 [12] 0.241s # Activate DNS resolution (better done as a postprocess, though.) bash-2.05a# scanrand -b2m -N -l1-13 www.slashdot.org 001 = 64.81.64.1|80 [01] 0.020s( gw081-064-001-sfo1.dsl-isp.net) 002 = 63.251.53.219|80 [02] 0.030s(border5.g3-4.speakeasy-29.sfo.pnap.) 003 = 63.251.63.79|80 [03] 0.053s( core5.ge3-0-bbnet2.sfo.pnap.net) 004 = 63.211.143.17|80 [04] 0.092s(gige4-0-233.ipcolo1.SanFrancisco1.L) 005 = 209.244.14.193|80 [05] 0.121s(gigabitethernet4-0.core1.SanFrancis) 006 = 208.172.147.201|80 [08] 0.123s( acr1-so-2-0-0.SantaClara.cw.net) 007 = 208.172.146.104|80 [06] 0.137s( agr4-loopback.SantaClara.cw.net) 008 = 208.172.156.157|80 [08] 0.150s( dcr2-so-1-3-0.SantaClara.cw.net) 009 = 208.172.156.198|80 [08] 0.168s( ibr01-p4-0.sntc08.exodus.net) 010 = 66.35.194.196|80 [09] 0.190s( dcr02-g10-1.sntc08.exodus.net) 011 = 66.35.194.58|80 [09] 0.211s( csr01-ve242.sntc08.exodus.net) 012 = 66.35.212.174|80 [10] 0.239s( 66.35.212.174) UP: 66.35.250.150:80 [12] 0.313s( sc8.slashdot.org) # Lets combine host scanning and tracerouting...why not, it's fast enough :-) bash-2.05a# scanrand -b 1m -l 1-10 64-66.5,8,15-17.1.1:80 001 = 64.81.64.1|80 [01] 0.021s( 10.0.1.11 -> 64.5.1.1 ) 001 = 64.81.64.1|80 [01] 0.037s( 10.0.1.11 -> 65.5.1.1 ) 001 = 64.81.64.1|80 [01] 0.054s( 10.0.1.11 -> 66.5.1.1 ) 002 = 63.251.53.219|80 [02] 0.059s( 10.0.1.11 -> 64.5.1.1 ) 002 = 63.251.53.219|80 [02] 0.088s( 10.0.1.11 -> 65.5.1.1 ) 002 = 63.251.53.219|80 [02] 0.101s( 10.0.1.11 -> 66.5.1.1 ) 003 = 63.251.63.1|80 [03] 0.118s( 10.0.1.11 -> 64.5.1.1 ) 003 = 63.251.63.67|80 [03] 0.167s( 10.0.1.11 -> 66.5.1.1 ) 004 = 160.81.100.1|80 [04] 0.189s( 10.0.1.11 -> 64.5.1.1 ) 004 = 206.24.216.193|80 [04] 0.219s( 10.0.1.11 -> 66.5.1.1 ) 005 = 144.232.3.169|80 [05] 0.240s( 10.0.1.11 -> 64.5.1.1 ) 005 = 206.24.210.61|80 [05] 0.291s( 10.0.1.11 -> 66.5.1.1 ) 006 = 144.232.3.193|80 [06] 0.324s( 10.0.1.11 -> 64.5.1.1 ) 006 = 192.205.32.109|80 [07] 0.340s( 10.0.1.11 -> 66.5.1.1 ) 007 = 144.232.9.214|80 [07] 0.379s( 10.0.1.11 -> 64.5.1.1 ) 007 = 12.122.11.217|80 [07] 0.413s( 10.0.1.11 -> 66.5.1.1 ) 008 = 144.232.18.42|80 [08] 0.444s( 10.0.1.11 -> 64.5.1.1 ) 009 = 144.232.6.126|80 [09] 0.508s( 10.0.1.11 -> 64.5.1.1 ) 009 = 12.122.11.106|80 [08] 0.571s( 10.0.1.11 -> 66.5.1.1 ) 001 = 64.81.64.1|80 [01] 0.620s( 10.0.1.11 -> 64.8.1.1 ) 010 = 12.123.24.137|80 [09] 0.632s( 10.0.1.11 -> 66.5.1.1 ) 001 = 64.81.64.1|80 [01] 0.637s( 10.0.1.11 -> 65.8.1.1 ) 001 = 64.81.64.1|80 [01] 0.654s( 10.0.1.11 -> 66.8.1.1 ) 002 = 63.251.53.219|80 [02] 0.658s( 10.0.1.11 -> 64.8.1.1 ) 002 = 63.251.53.219|80 [02] 0.679s( 10.0.1.11 -> 65.8.1.1 ) 002 = 63.251.53.219|80 [02] 0.700s( 10.0.1.11 -> 66.8.1.1 ) 003 = 63.251.63.79|80 [03] 0.718s( 10.0.1.11 -> 64.8.1.1 ) 003 = 63.251.63.70|80 [03] 0.767s( 10.0.1.11 -> 66.8.1.1 ) 004 = 63.211.143.17|80 [04] 0.788s( 10.0.1.11 -> 64.8.1.1 ) 004 = 63.145.224.1|80 [05] 0.829s( 10.0.1.11 -> 66.8.1.1 ) 005 = 209.244.14.197|80 [05] 0.847s( 10.0.1.11 -> 64.8.1.1 ) 005 = 205.171.14.97|80 [06] 0.891s( 10.0.1.11 -> 66.8.1.1 ) 006 = 209.247.10.233|80 [07] 0.908s( 10.0.1.11 -> 64.8.1.1 ) 006 = 205.171.205.30|80 [06] 0.949s( 10.0.1.11 -> 66.8.1.1 ) 007 = 64.159.0.218|80 [08] 0.958s( 10.0.1.11 -> 64.8.1.1 ) 007 = 165.117.48.117|80 [08] 1.000s( 10.0.1.11 -> 66.8.1.1 ) 008 = 64.159.2.164|80 [08] 1.019s( 10.0.1.11 -> 64.8.1.1 ) 009 = 65.57.86.2|80 [13] 1.089s( 10.0.1.11 -> 64.8.1.1 ) 009 = 165.117.68.161|80 [13] 1.134s( 10.0.1.11 -> 66.8.1.1 ) 008 = 165.117.67.241|80 [14] 1.141s( 10.0.1.11 -> 66.8.1.1 ) 010 = 66.109.14.137|80 [12] 1.150s( 10.0.1.11 -> 64.8.1.1 ) 001 = 64.81.64.1|80 [01] 1.205s( 10.0.1.11 -> 64.15.1.1 ) 001 = 64.81.64.1|80 [01] 1.221s( 10.0.1.11 -> 64.16.1.1 ) 001 = 64.81.64.1|80 [01] 1.253s( 10.0.1.11 -> 64.17.1.1 ) 010 = 165.117.200.77|80 [10] 1.260s( 10.0.1.11 -> 66.8.1.1 ) 001 = 64.81.64.1|80 [01] 1.271s( 10.0.1.11 -> 65.15.1.1 ) 001 = 64.81.64.1|80 [01] 1.287s( 10.0.1.11 -> 65.16.1.1 ) 001 = 64.81.64.1|80 [01] 1.304s( 10.0.1.11 -> 65.17.1.1 ) 001 = 64.81.64.1|80 [01] 1.322s( 10.0.1.11 -> 66.15.1.1 ) 001 = 64.81.64.1|80 [01] 1.353s( 10.0.1.11 -> 66.16.1.1 ) 001 = 64.81.64.1|80 [01] 1.371s( 10.0.1.11 -> 66.17.1.1 ) 002 = 63.251.53.219|80 [02] 1.387s( 10.0.1.11 -> 64.15.1.1 ) 002 = 63.251.53.219|80 [02] 1.407s( 10.0.1.11 -> 64.16.1.1 ) 002 = 63.251.53.219|80 [02] 1.427s( 10.0.1.11 -> 64.17.1.1 ) 002 = 63.251.53.219|80 [02] 1.448s( 10.0.1.11 -> 65.15.1.1 ) 002 = 63.251.53.219|80 [02] 1.467s( 10.0.1.11 -> 65.16.1.1 ) 002 = 63.251.53.219|80 [02] 1.478s( 10.0.1.11 -> 65.17.1.1 ) 002 = 63.251.53.219|80 [02] 1.499s( 10.0.1.11 -> 66.15.1.1 ) 002 = 63.251.53.219|80 [02] 1.529s( 10.0.1.11 -> 66.16.1.1 ) 002 = 63.251.53.219|80 [02] 1.541s( 10.0.1.11 -> 66.17.1.1 ) 003 = 63.251.63.3|80 [03] 1.638s( 10.0.1.11 -> 65.16.1.1 ) 003 = 63.251.63.14|80 [03] 1.659s( 10.0.1.11 -> 65.17.1.1 ) 003 = 63.251.63.67|80 [03] 1.727s( 10.0.1.11 -> 66.17.1.1 ) 004 = 12.126.195.77|80 [04] 1.819s( 10.0.1.11 -> 65.16.1.1 ) 004 = 63.211.143.17|80 [04] 1.842s( 10.0.1.11 -> 65.17.1.1 ) 004 = 206.24.216.193|80 [04] 1.899s( 10.0.1.11 -> 66.17.1.1 ) 005 = 12.123.13.58|80 [05] 2.012s( 10.0.1.11 -> 65.16.1.1 ) 005 = 209.244.14.193|80 [05] 2.018s( 10.0.1.11 -> 65.17.1.1 ) 005 = 206.24.210.61|80 [05] 2.081s( 10.0.1.11 -> 66.17.1.1 ) 006 = 209.247.10.233|80 [07] 2.198s( 10.0.1.11 -> 65.17.1.1 ) 006 = 208.172.146.103|80 [06] 2.261s( 10.0.1.11 -> 66.17.1.1 ) 007 = 12.122.10.26|80 [08] 2.368s( 10.0.1.11 -> 65.16.1.1 ) 007 = 209.247.11.169|80 [08] 2.423s( 10.0.1.11 -> 65.17.1.1 ) 007 = 208.172.156.153|80 [08] 2.441s( 10.0.1.11 -> 66.17.1.1 ) 008 = 209.247.11.182|80 [08] 2.603s( 10.0.1.11 -> 65.17.1.1 ) 008 = 208.172.156.58|80 [09] 2.621s( 10.0.1.11 -> 66.17.1.1 ) 009 = 12.122.12.58|80 [09] 2.762s( 10.0.1.11 -> 65.16.1.1 ) 009 = 209.245.208.30|80 [09] 2.783s( 10.0.1.11 -> 65.17.1.1 ) 009 = 208.172.146.19|80 [09] 2.810s( 10.0.1.11 -> 66.17.1.1 ) 010 = 12.123.16.233|80 [10] 2.933s( 10.0.1.11 -> 65.16.1.1 ) 010 = 216.212.127.198|80 [14] 2.969s( 10.0.1.11 -> 65.17.1.1 ) 010 = 206.24.241.178|80 [13] 3.000s( 10.0.1.11 -> 66.17.1.1 ) 006 = 12.122.11.81|80 [07] 4.226s( 10.0.1.11 -> 65.16.1.1 ) # Split mode operation. Only thing syncing these two scans is the crypto. bash-2.05a# scanrand -t0 -L -s this_is_a_demo & [1] 39294 bash-2.05a# scanrand -S -s this_is_a_demo www.slashdot.org bash-2.05a# UP: 66.35.250.150:80 [12] 16.062s UP: 66.35.250.150:443 [12] 16.063s bash-2.05a# scanrand -S -s this_is_a_demo 10.0.1.1. -254:quick UP: 10.0.1.38:80 [01] 42.419s UP: 10.0.1.110:443 [01] 42.432s UP: 10.0.1.254:443 [01] 42.437s UP: 10.0.1.57:445 [01] 42.440s UP: 10.0.1.59:445 [01] 42.440s UP: 10.0.1.38:22 [01] 42.463s UP: 10.0.1.110:22 [01] 42.474s UP: 10.0.1.110:23 [01] 42.474s UP: 10.0.1.254:22 [01] 42.493s UP: 10.0.1.254:23 [01] 42.493s UP: 10.0.1.25:135 [01] 42.504s UP: 10.0.1.57:135 [01] 42.505s UP: 10.0.1.59:135 [01] 42.506s UP: 10.0.1.25:139 [01] 42.514s UP: 10.0.1.27:139 [01] 42.514s UP: 10.0.1.57:139 [01] 42.515s UP: 10.0.1.59:139 [01] 42.516s UP: 10.0.1.38:111 [01] 42.543s UP: 10.0.1.57:1025 [01] 42.563s UP: 10.0.1.59:1025 [01] 42.564s UP: 10.0.1.57:5000 [01] 42.573s UP: 10.0.1.59:5000 [01] 42.574s bash-2.05a# UP: 10.0.1.53:111 [01] 42.700s UP: 10.0.1.53:111 [01] 46.078s