scanrand

scanrand is a cool tool for network scanning written by Dan Kaminski.  The big advantage to this tool as a network scanner is that it can scan very large networks very very fast.

It works by splitting into two completely independent processes, one for sending packets and one for receiving them.  The sending process fires off syn packets and doesn’t try to retain state information.  Also, the receiving process doesn’t retain state.  It works by using a stateful protocol in a stateless way.

How does this prevent a smart router or something from just sending weird information in response to  a detected scan?

Normally, an ISN of a syn packet is meant to be basically random.  scanrand builds a deterministic iSN by running the source ip source port destination ip and destination port concatinated with a secret key and run through a one way hashing function – meaning these “random” isns can be calculated. this is called an “inverse syn cookie”.

Awesome.

Again, to reiterate the advantages:a class C network has been known to be scanned in as little as four seconds with this tool.

Here is how I tried it on my local network:

scanrand -d eth1 -b10M 192.168.1.1-254:quick

pretty simple.  the 10M limits the scan to 10 mbps.  One thing with scanrand is you probably ususally want to throttle the traffic -or else your network could easily become overloaded.  the -d eth1 is just specifying my wireless card.  the 192.168.1.1-254:quick is specifying which IPs and ports to scan.  quick is a shortcut meaning ports

80,443,445,53,20-23,25,135,139,8080, 110,111,143,1025,5000,465,993,31337, 79,8010,8000,6667,2049,3306

the biggest disadvantage might be how noisy it is.  But it’s not meant to be quiet.

Anyway, this is a pretty innovative “why didn’t I think of that” tools.  Give it a try.