So get unicornscan from here :
http://unicornscan.org/ -- current version I could find is 0.4.7
you'll need some depenedencies
apt-get install flex bison
apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev
* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation :-(
apt-get install texlive-extra-utils
Fix up weird lib issues see at the bottom for where i got this:
blah@blah:$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
blah@blah:$ for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done
apply this patch
https://www.pentoo.ch/pentoo/browser/portage/trunk/net-analyzer/unicornscan/files/unicornscan-0.4.7-configure.patch
./configure CFLAGS=-D_GNU_SOURCE
make
make install
after that it woud compile and run.
I did have to really crank down the pps to get it to actually run, default is 300 i had to use around 75-100
sudo unicornscan -m U -Ir 75 --show-errors -v externalrange.net/24
Lets test ...
host #1
sudo unicornscan -m U -Ir 75 -v 192.168.1.143
adding 192.168.1.143/32 mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 75
using interface(s) eth0
UDP open domain[ 53] from 192.168.1.143 ttl 50
UDP open netbios-ns[ 137] from 192.168.1.143 ttl 50
UDP open unknown[51468] from 192.168.1.143 ttl 50
msf auxiliary(udp_sweep) > run
[*] Sending 10 probes to 192.168.1.143->192.168.1.143 (1 hosts)
[*] Discovered NTP on 192.168.1.143:123 (NTP v4)
[*] Discovered NetBIOS on 192.168.1.143:137 (INEEDAFW01:<00>:U :INEEDAFW01:<03>:U :INEEDAFW01:<20>:U :__MSBROWSE__:<01>:G :WORKGROUP:<1d>:U :WORKGROUP:<1e>:G :WORKGROUP:<00>:G :00:00:00:00:00:00)
[*] Discovered DNS on 192.168.1.143:53 (BIND 9.4.2-P2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sudo nmap -sU 192.168.1.143
PORT STATE SERVICE
53/udp open domain
69/udp openfiltered tftp
123/udp open ntp
137/udp open netbios-ns
138/udp openfiltered netbios-dgm
*took approx 13 min for results
Host #2
sudo unicornscan -m U -Ir 75 -v 192.168.1.94
UDP open sunrpc[ 111] from 192.168.1.94 ttl 50
UDP open shilp[ 2049] from 192.168.1.94 ttl 50
msf auxiliary(udp_sweep) > run
[*] Sending 10 probes to 192.168.1.94->192.168.1.94 (1 hosts)
[*] Discovered Portmap on 192.168.1.94:111 (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(35483), 100024 v1 TCP(34855), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(51021), 100021 v3 UDP(51021), 100021 v4 UDP(51021), 100003 v2 TCP(2049), 100003 v3 TCP(2049), 100003 v4 TCP(2049), 100021 v1 TCP(32771), 100021 v3 TCP(32771), 100021 v4 TCP(32771), 100005 v1 UDP(54730), 100005 v1 TCP(50729), 100005 v2 UDP(54730), 100005 v2 TCP(50729), 100005 v3 UDP(54730), 100005 v3 TCP(50729))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sudo nmap -sU 192.168.1.94 -v
PORT STATE SERVICE
111/udp open rpcbind
639/udp openfiltered unknown
2049/udp open nfs
*took approx 14 min
Quick notes:
unicornscan sucks for NTP, the metasploit udp_sweep is better even though the port is in the scan list it fails to locate NTP servers
you'll probably want to add some port to the /usr/local/etc/unicornscan/unicorn.conf file in the UDP section, namely 1434,1604,5093,& 523 to be consistent for what metasploit is sending probes for.
you may also want to update the ports list in the above folder to be les stupid as well.
In this case nmap gave consistent results, just took forever
compile stuff from here:
http://itbloggen.se/cs/blogs/olle_lindgren/archive/2009/01/08/unicornscan-on-ubuntu-8-10-intrepid-ibex.aspx?CommentPosted=true#commentmessage
http://geek00l.blogspot.com/2009/01/ubuntu-unicornscan-revisit.html
The fact that version 0.4.7 does not detect the ntp services is because it sends a ntp readlist packet, which many ntp servers do not allow or respond to. Instead a normal ntp time request should be send.
ReplyDeleteThe speed problems are new to me, as Unicorscan is known for its high scanning speed.
As you might now the original author (Jack C. Louis) of Unicornscan was killed in a fire accident in his house almost two years ago. Since I already had contact with both Robert and Jack, about some patches I had written for Unicornscan, Robert asked my if I would integrate those patches and maybe continue development together with some other people. Unfortunately that never realy happened, but I've integrated some patches in SVN, which you can find overhere:
http://sourceforge.net/projects/osace/
im sure the speed is because its been tested in virtual enviroments and the virtual nic probably doesnt like all the traffic, but thats just a WAG.
ReplyDeletethanks for alink to the svn, i'll check it out.
even cranked down, its still significantly fatster than nessus
.... or you could just use nmap.
ReplyDeleteYa I'm with Anonymous why would you bother with Unicornscan these days?
ReplyDelete