Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
381 udp port scanner[复制链接]
发表于 2012-12-30 01:12:56 | 显示全部楼层 |!read_mode!



1 缺乏超时重传机制。

2 缺乏流量控制机制。


很多扫描工具对UDP支持不好 包括神器NMAP 有很多open|filter的结果出现 不准去 并且 耗费时间

使用NMAP扫一个主机 用UDP方式 要10分钟

  1. root@Dis9Team:~# nmap -sU -T5 -sV

  2. Starting Nmap 5.51 ( http://nmap.org ) at 2012-12-10 04:42 PST
  3. Warning: giving up on port because retransmission cap hit (2).
  4. Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
  5. UDP Scan Timing: About 30.83% done; ETC: 04:45 (0:02:08 remaining)

对应UDP 用专门的工具unicornscanunicornscan

  1. root@Dis9Team:/pen# wget http://unicornscan.org/releases/unicornscan-0.4.7-2.tar.bz2
  2. root@Dis9Team:/pen# tar xf unicornscan-0.4.7-2.tar.bz2
  3. root@Dis9Team:/pen/unicornscan-0.4.7# apt-get install libpq-dev libpqxx-dev libpq5 flex bison
  4. root@Dis9Team:/pen/unicornscan-0.4.7# apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev
  5. root@Dis9Team:/pen/unicornscan-0.4.7# ./configure CFLAGS=-D_GNU_SOURCE
  6. root@Dis9Team:/pen/unicornscan-0.4.7# make
  7. root@Dis9Team:/pen/unicornscan-0.4.7# make install


  1. root@Dis9Team:/pen/unicornscan-0.4.7# cd src/
  2. root@Dis9Team:/pen/unicornscan-0.4.7/src# ./unicornscan -h
  3. unicornscan (version 0.4.7)
  4. usage: unicornscan [options `b:B:cd:De:EFG:hHi:Ij:l:L:m:M:o:p:P:q:Qr:R:s:St:T:u:Uw:W:vVzZ:' ] X.X.X.X/YY:S-E
  5.         -b, --broken-crc     *set broken crc sums on [T]ransport layer, [N]etwork layer, or both[TN]
  6.         -B, --source-port    *set source port? or whatever the scan module expects as a number
  7.         -c, --proc-duplicates process duplicate replies
  8.         -d, --delay-type     *set delay type (numeric value, valid options are `1:tsc 2:gtod 3:sleep')
  9.         -D, --no-defpayload   no default Payload, only probe known protocols
  10.         -e, --enable-module  *enable modules listed as arguments (output and report currently)
  11.         -E, --proc-errors     for processing `non-open' responses (icmp errors, tcp rsts...)
  12.         -F, --try-frags      
  13.         -G, --payload-group        *payload group (numeric) for tcp/udp type payload selection (default all)
  14.         -h, --help            help
  15.         -H, --do-dns          resolve hostnames during the reporting phase
  16.         -i, --interface      *interface name, like eth0 or fxp1, not normally required
  17.         -I, --immediate       immediate mode, display things as we find them
  18.         -j, --ignore-seq     *ignore `A'll, 'R'eset sequence numbers for tcp header validation
  19.         -l, --logfile        *write to this file not my terminal
  20.         -L, --packet-timeout *wait this long for packets to come back (default 7 secs)
  21.         -m, --mode           *scan mode, tcp (syn) scan is default, U for udp T for tcp `sf' for tcp connect scan and A for arp
  22.                                for -mT you can also specify tcp flags following the T like -mTsFpU for example
  23.                                that would send tcp syn packets with (NO Syn|FIN|NO Push|URG)
  24.         -M, --module-dir     *directory modules are found at (defaults to /usr/local/lib/unicornscan/modules)
  25.         -o, --format         *format of what to display for replies, see man page for format specification
  26.         -p, --ports           global ports to scan, if not specified in target options
  27.         -P, --pcap-filter    *extra pcap filter string for reciever
  28.         -q, --covertness     *covertness value from 0 to 255
  29.         -Q, --quiet           dont use output to screen, its going somewhere else (a database say...)
  30.         -r, --pps            *packets per second (total, not per host, and as you go higher it gets less accurate)
  31.         -R, --repeats        *repeat packet scan N times
  32.         -s, --source-addr    *source address for packets `r' for random
  33.         -S, --no-shuffle      do not shuffle ports
  34.         -t, --ip-ttl         *set TTL on sent packets as in 62 or 6-16 or r64-128
  35.         -T, --ip-tos         *set TOS on sent packets
  36.         -u, --debug                *debug mask
  37.         -U, --no-openclosed         dont say open or closed
  38.         -w, --safefile       *write pcap file of recieved packets
  39.         -W, --fingerprint    *OS fingerprint 0=cisco(def) 1=openbsd 2=WindowsXP 3=p0fsendsyn 4=FreeBSD 5=nmap
  40.                               6=linux 7:strangetcp
  41.         -v, --verbose         verbose (each time more verbose so -vvvvv is really verbose)
  42.         -V, --version         display version
  43.         -z, --sniff           sniff alike
  44.         -Z, --drone-str      *drone String
  45. *:        options with `*' require an argument following them

  46.   address ranges are cidr like for all of 1.?.?.?
  47.   if you omit the cidr mask then /32 is implied
  48.   port ranges are like 1-4096 with 53 only scanning one port, a for all 65k and p for 1-1024
  49. example: unicornscan -i eth1 -Ir 160 -E gateway:a
  50. root@Dis9Team:/pen/unicornscan-0.4.7/src#

  1. root@Dis9Team:/pen/unicornscan-0.4.7/src# ./unicornscan -mU
  2. Error Opening file /usr/local/etc/unicornscan/GeoIP.dat
  3. Main [Error   report.c:73] error opening geoip database `/usr/local/etc/unicornscan//GeoIP.dat': No such file or directory
  4. UDP open                  domain[   53]                from  ttl 64
  5. root@Dis9Team:/pen/unicornscan-0.4.7/src#

速度飞快 !! BT5中可以用WEB模式参考http://www.backtrack-linux.org/wiki/index.php/Unicornscan



GMT+8, 2019-12-14 09:53

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.