Unicornscan: An In-Depth Guide for Beginners

Port scanning is a crucial first step in mapping out networks during penetration tests and vulnerability assessments. While Nmap has long been the go-to tool for comprehensive scanning, unicornscan brings unique technical capabilities that enable extremely fast and flexible asynchronous scanning.

In this detailed guide for beginners, we‘ll not only cover unicornscan installation and basic usage, but do a deep dive into some of its more advanced functionality for finding open ports, enumerating services, detecting systems, and much more.

An Overview of What Makes Unicornscan Unique

Unicornscan utilizes asynchronous stateless TCP and UDP scanning for both IPv4 and IPv6 networks. This means that instead of traditional synchronous scanning where a port probe is sent and unicornscan waits for a response before moving to the next port, unicornscan sends probes rapidly without waiting or keeping state.

The tool has separate sending and receiving threads which allows for thousands of packets per second to be transmitted, even on slower network links. This results in dramatically faster scans than Nmap or other scanners which rely on round trip times before proceeding.

Some key technical advantages and features:

• Custom TCP/IP stack implementation – unicornscan talks directly to the network adapter driver instead of using the operating system stack. This allows complete control over the entire process.

• Asynchronous stateless scanning architecture – as mentioned above, no waiting for responses which maximizes network utilization

• Custom packet crafting at the byte level – every bit of each probe packet can be specified allowing for stealth, ambiguity, and operating system impersonation

• Highly optimized routines in C and x86 assembly language – performance is top priority, with critical scan functions handled in assembly code. The tool can saturate even 10Gbps links.

• Support for dredging up hidden and filtered results – unicornscan has determination options which will force it to rescan areas of filtered ports slowly with different timing strategies in order to uncover filtered or firewalled ports.

• Powerful scripting capabilities – custom Lua scripts extend functionality even further and allow sharing of scan methods

In testing, unicornscan has been found to run anywhere from 2 to 10 times faster than comparative Nmap scans depending on the network environment. Next we‘ll cover installation and basic usage.

Installing Unicornscan on Linux Distributions

Unicornscan is already installed by default on security distributions like Kali Linux, but it can also easily be setup on Debian or Ubuntu Linux desktops and servers:

# apt update
# apt install unicornscan 

For Fedora, CentOS, and RHEL distributions using RPM packages:

# yum update
# yum install unicornscan

And for Arch-based Linux distributions:

# pacman -Syu
# pacman -S unicornscan

Once installed, the tool can be invoked simply by running unicornscan. Make sure to launch it with sudo or as root in order to bind directly to interfaces for raw packet access.

With the basics of installation complete, let‘s move on to some common scanning examples.

Scanning Basics – Hosts, Ports, and Service Detection

Much like nmap, unicornscan relies on a core set of TCP and UDP probes to detect open ports which often tie back to running services.

To initiate a default scan of TCP port 1 through 1024 against a host, simply pass the IP address:

sudo unicornscan 172.20.10.12

This performs QueSO stateless TCP probes with operating system fingerprinting enabled. As you see in the output, it returns all open TCP ports and hashes of any banners grabbed which can be used for service enumeration.

We can scan a wider TCP port range with the -a flag:

sudo unicornscan -a 172.20.10.12

Scanning all 65535 TCP ports takes longer, but unicornscan‘s speed still makes it quite reasonable compared to other scanners.

To dive right into UDP scanning on the top 1000 UDP ports:

 sudo unicornscan -mU 172.20.10.12

This utilizes QUdp stateless UDP probes optimized for speed.

We can even combine TCP and UDP scanning in one command:

unicornscan -a -mU 172.20.10.12

Beyond simple port enumeration, unicornscan tries to determine the remote operating system and applications via payload analysis when possible. Based on fingerprint hashes and banners, you might see detection output like:

OS Detection: 187.134.56.211 : Microsoft Windows 7 or 8
OS Detection: 148.98.213.199 : Linux 2.4.0 - 2.6.28 
Application Detection: Apache httpd 2.4.12 ((Win64) PHP/5.6.12)

This kind of intel can direct and focus additional scanning efforts.

Targeting Specific Port Ranges

Instead of always scanning all ports, we can specify a custom range for more precision:

sudo unicornscan 172.20.10.12:80-90,443,8080,8443

This probes a selection of explicit web ports both TCP and UDP depending on flags used.

For scanning subnets, CIDR notation is fully supported:

sudo unicornscan 192.168.1.0/24:22,80,443

And hostlists can be specified by simply seperating targets:

sudo unicornscan 172.20.10.12 www.example.com 192.168.50.1

Controlling Scan Rate and Stealth

By default unicornscan tries to go as fast as possible, blasting hosts with probes at full speed which might set off alarms.

The packets per second rate can be adjusted with the -r flag:

sudo unicornscan -r50 172.20.10.0/24

This slows the scan to just 50pps which may be hard to distinguish from normal traffic. The payload size -l can also be tweaked to blend in:

sudo unicornscan -r50 -l64 172.20.10.12

With a rate of just 50 64-byte packets per second, unicornscan becomes extremely stealthy while still scanning quickly compared to traditional port scanning methods.

Programming Scan Profiles for Automation

Instead of always passing endless command line flags, we can create a profile script containing our preferred defaults for easy reuse:

defaults = {
   rate = 200,
   payload_size = 64,
   scan_type = "T",
   port_range = "20-23,80,443",
}

targets = {
   "172.20.10.0/24",
   "192.168.5-15.0/24"  
}

unicornscan.scan(targets, defaults)

This unicornscan lua script allows automated scanning routines to be kicked off using the parameters we want instead of lengthy commands.

Profiles come in handy when executing against a predefined scope like an inventory of networks maintained in a text file.

Deep Diving into TCP Flags, Headers, and Evasion

So far we‘ve seen simple port scanning examples with unicornscan, but the tool offers very advanced control over TCP flags and the makeup of packets. This allows penetration testers to probe networks in extremely custom ways while remaining under the radar.

The 6 main TCP flags Header flags can be configured into over 64,000 combinations per scan probe packet. This includes:

• URG: Urgent
• ACK: Acknowledgement
• PSH: Push
• RST: Reset
  -SYN: Synchronise
• FIN: Finish

For instance, we can perform an XMAS scan which sets the FIN, PSH, and URG flags:

sudo unicornscan -mT -sFUX 172.20.10.12

Or a custom FIN/ACK scan:

sudo unicornscan -mT -sFA 172.20.10.12

These unorthodox combinations can sneak through firewalls and trip up intrusion detection systems not expecting the atypical sequencing.

Beyond flags, additional TCP fields like sequence numbers, window size, checksums, and urgent data pointers can also be tailored:

sudo unicornscan --tcp-seq 12345 --tcp-window 4096 172.20.10.12

This spoofing and hand crafting of packets takes skill, but allows unicornscan infiltration with a low chance of blocking compared to off the shelf scanning scripts.

Capturing Output to Files for Further Processing

Manually sifting through interactive unicornscan output can be cumbersome. Instead we can redirect everything from a scan out to a file for loading into reporting tools and analytics software.

Basic CSV output just containing open ports in a spreadsheet friendly format:

 sudo unicornscan 172.20.10.0/24 -f csv > subnetScanResults.csv

To get JSON output suitable for log aggregation systems like Elasticsearch, Splunk, or parsing with custom scripts:

sudo unicornscan 172.20.10.12 80,443 -f json > webPorts.json

And for analyzing response payloads and intrusion detection efforts, sending output to PCAP format is invaluable:

sudo unicornscan 192.168.35.0/24 -p capture.pcap 

These capture files integrate cleanly with all kinds of workflows for further study.

Mapping Out Discovered Assets

Beyond standalone command line usage, unicornscan is commonly leveraged in security tools like nmap and Metasploit. It can also tie into various reporting dashboards.

Integrating results into a visualized network topology map makes for quick analysis:

Data can be fed directly into graphical mapping software like Maltego, Microsoft Visio, and Lucidchart. Or for building customized views, reporting frameworks like Crystal Reports connect to unicornscan‘s exports.

These kinds of dashboards enable pivoting across the testing landscape to confirm findings or dig deeper.

Securing Networks Against unicornscan-Style Attacks

While unicornscan is mainly used for legal and authorized penetration testing purposes, the techniques powering it can also be used maliciously.

Since it is so fast and flexible in probing networks, traditional security solutions like firewalls often fail to detect unicornscan sweeps.

Here are some tips for hardening environments against reconnaissance efforts:

• Reduce overall network connectivity and limit reachable endpoints whenever possible across domains and VLANs

• Monitor border traffic extremely closely via tools like Snort IDS with custom unicornscan-oriented inspection rules that key off on abnormal TCP flags and unexpected packet rates

• Implement anomaly detection tracking the standard deviation of connection attempts on various ports and investigating spikes

• For public facing products and APIs, front all access through a WAF or API gateway in order to detect suspicious payloads and activity

• Utilize a scanning detection platform such as Attack Surface Manager or DefendApp uniformly across assets

• Mask open ports via methods like Honeyd virtual devices presenting tempting fakes and honeyports

Combining these techniques raises the effort level tremendously for successfully mapping production environments.

Troubleshooting Common Unicornscan Issues

Like any complex scanning software, unicornscan can run into multiple issues from timeouts, crashes, restrictions, and connectivity problems.

Here are some frequent problems and suggested steps for troubleshooting:

• System freezes mid scan – Increase RAM allocation past default in daemon config

• Lack of results on high number ports – Try running as true root user identity, disable local firewall

• Kernel not supporting raw sockets – Enable packet forwarding, check sysctl-conf settings

• Transmission errors detected – Change network adapter speeds settings to max detection

• Hosts refusing connections – Specify specific source IP, spoof MAC address

• Scan reports permission denied – Use sudo to access raw interfaces, manage route tables

And as a last resort the github project issue tracker often contains helpful fixes not found in documentation.

Now that we‘ve covered both basics and in-depth technical scanning capabilities, unicornscan should be an intimidating tool ready for all kinds of flexible fingerprinting tasks during engagements.

The support for protocol-based UDP scanning, stealthy options evasion, OS detection, output exports, and automation also make it useful outside penetration tests for generalized networked inventory and monitoring cases.

Give unicornscan a try with some of these tips next time network mapping needs arise!

Let me know in the comments if you have any other favorite advanced unicornscan techniques I may have missed.