Doxpara: Scanrand 1.0: A Demonstration

Alright! Lets play ball.

bash-2.05a# scanrand
Destination required.
scanrand 1.0:  Stateless TCP Scanner w/ Inverse SYN Cookies(HMAC-SHA1/32 in SEQ)
Component of:  Paketto Keiretsu 1.0;    Dan Kaminsky  (dan@doxpara.com)
     Example:  scanrand -b10M 10.0.1.1-254:80,20-25,139
  Def. Ports:  Use  [quick/squick/known/all] instead of explicitly naming ports
     Options:  -S/-L:    Only send requests      / Only listen for responses
               -e/-E:    Show negative responses / Only show negative responses
               -t  [timeout]: Wait n full seconds for the last response   (10s)
               -b[bandwidth]: Limit bandwidth consumption to n b/k/m/g bytes(0)
                              (0 supresses timeouts or maximizes bw utilization)
               -N/-NN       : Enable name resolution (Prefer Source/Dest)
               -v           : Mark packets being sent, as well as received
               -vv          : Output full packet traces to stderr
  Addressing:  -d   [device]: Send requests from this L2 hardware device
               -i   [source]: Send requests from this L3 IP address
               -p   [  port]: Send requests from this L4 TCP Port
               -s   [  seed]: Use prespecified seed for scan verification
               -f   [  file]: Read list of targets from file
 Experiments:  -l  [ttl-ttl]: Statelessly TCP Traceroute
               -c           : Try checking Inverse SYN Cookie on Traceroute
       Notes:                 Use Control-C to exit before scanrand times out.
                              Be sure to use a longer timeout for slow scans!
                              [n]: estimated network distance from target host.
                              Be careful about available bandwidth -- use -b!

# Quick scan of local network
bash-2.05a# scanrand 10.0.1.1-254:quick
  UP:        10.0.1.38:80    [01]   0.003s
  UP:       10.0.1.110:443   [01]   0.017s
  UP:       10.0.1.254:443   [01]   0.021s
  UP:        10.0.1.57:445   [01]   0.024s
  UP:        10.0.1.59:445   [01]   0.024s
  UP:        10.0.1.38:22    [01]   0.047s
  UP:       10.0.1.110:22    [01]   0.058s
  UP:       10.0.1.110:23    [01]   0.058s
  UP:       10.0.1.254:22    [01]   0.077s
  UP:       10.0.1.254:23    [01]   0.077s
  UP:        10.0.1.25:135   [01]   0.088s
  UP:        10.0.1.57:135   [01]   0.089s
  UP:        10.0.1.59:135   [01]   0.090s
  UP:        10.0.1.25:139   [01]   0.097s
  UP:        10.0.1.27:139   [01]   0.098s
  UP:        10.0.1.57:139   [01]   0.099s
  UP:        10.0.1.59:139   [01]   0.099s
  UP:        10.0.1.38:111   [01]   0.127s
  UP:        10.0.1.57:1025  [01]   0.147s
  UP:        10.0.1.59:1025  [01]   0.147s
  UP:        10.0.1.57:5000  [01]   0.156s
  UP:        10.0.1.59:5000  [01]   0.157s
  UP:        10.0.1.53:111   [01]   0.182s

# Quick scan of Slashdot.  Hmm, bout 12 hops away?
bash-2.05a# scanrand www.slashdot.org
  UP:    66.35.250.150:80    [12]   0.017s
  UP:    66.35.250.150:443   [12]   0.018s

# Lets check that...ah.  13.  Have to slow down to 2mbit.
bash-2.05a# scanrand -b2m -l1-13 www.slashdot.org
002 =    63.251.53.219|80    [02]   0.018s(       10.0.1.11 -> 66.35.250.150   )
001 =       64.81.64.1|80    [01]   0.031s(       10.0.1.11 -> 66.35.250.150   )
003 =     63.251.63.79|80    [03]   0.044s(       10.0.1.11 -> 66.35.250.150   )
004 =    63.211.143.17|80    [04]   0.066s(       10.0.1.11 -> 66.35.250.150   )
005 =   209.244.14.193|80    [05]   0.084s(       10.0.1.11 -> 66.35.250.150   )
006 =  208.172.147.201|80    [08]   0.099s(       10.0.1.11 -> 66.35.250.150   )
007 =  208.172.146.104|80    [06]   0.119s(       10.0.1.11 -> 66.35.250.150   )
008 =  208.172.156.157|80    [08]   0.140s(       10.0.1.11 -> 66.35.250.150   )
009 =  208.172.156.198|80    [08]   0.167s(       10.0.1.11 -> 66.35.250.150   )
010 =    66.35.194.196|80    [09]   0.187s(       10.0.1.11 -> 66.35.250.150   )
011 =     66.35.194.58|80    [09]   0.208s(       10.0.1.11 -> 66.35.250.150   )
012 =    66.35.212.174|80    [10]   0.229s(       10.0.1.11 -> 66.35.250.150   )
  UP:    66.35.250.150:80    [12]   0.241s

# Activate DNS resolution (better done as a postprocess, though.)
bash-2.05a# scanrand -b2m -N -l1-13 www.slashdot.org
001 =       64.81.64.1|80    [01]   0.020s(     gw081-064-001-sfo1.dsl-isp.net)
002 =    63.251.53.219|80    [02]   0.030s(border5.g3-4.speakeasy-29.sfo.pnap.)
003 =     63.251.63.79|80    [03]   0.053s(    core5.ge3-0-bbnet2.sfo.pnap.net)
004 =    63.211.143.17|80    [04]   0.092s(gige4-0-233.ipcolo1.SanFrancisco1.L)
005 =   209.244.14.193|80    [05]   0.121s(gigabitethernet4-0.core1.SanFrancis)
006 =  208.172.147.201|80    [08]   0.123s(    acr1-so-2-0-0.SantaClara.cw.net)
007 =  208.172.146.104|80    [06]   0.137s(    agr4-loopback.SantaClara.cw.net)
008 =  208.172.156.157|80    [08]   0.150s(    dcr2-so-1-3-0.SantaClara.cw.net)
009 =  208.172.156.198|80    [08]   0.168s(       ibr01-p4-0.sntc08.exodus.net)
010 =    66.35.194.196|80    [09]   0.190s(      dcr02-g10-1.sntc08.exodus.net)
011 =     66.35.194.58|80    [09]   0.211s(      csr01-ve242.sntc08.exodus.net)
012 =    66.35.212.174|80    [10]   0.239s(                      66.35.212.174)
  UP:    66.35.250.150:80    [12]   0.313s(                   sc8.slashdot.org)

# Lets combine host scanning and tracerouting...why not, it's fast enough :-)
bash-2.05a# scanrand -b 1m -l 1-10 64-66.5,8,15-17.1.1:80
001 =       64.81.64.1|80    [01]   0.021s(       10.0.1.11 -> 64.5.1.1        )
001 =       64.81.64.1|80    [01]   0.037s(       10.0.1.11 -> 65.5.1.1        )
001 =       64.81.64.1|80    [01]   0.054s(       10.0.1.11 -> 66.5.1.1        )
002 =    63.251.53.219|80    [02]   0.059s(       10.0.1.11 -> 64.5.1.1        )
002 =    63.251.53.219|80    [02]   0.088s(       10.0.1.11 -> 65.5.1.1        )
002 =    63.251.53.219|80    [02]   0.101s(       10.0.1.11 -> 66.5.1.1        )
003 =      63.251.63.1|80    [03]   0.118s(       10.0.1.11 -> 64.5.1.1        )
003 =     63.251.63.67|80    [03]   0.167s(       10.0.1.11 -> 66.5.1.1        )
004 =     160.81.100.1|80    [04]   0.189s(       10.0.1.11 -> 64.5.1.1        )
004 =   206.24.216.193|80    [04]   0.219s(       10.0.1.11 -> 66.5.1.1        )
005 =    144.232.3.169|80    [05]   0.240s(       10.0.1.11 -> 64.5.1.1        )
005 =    206.24.210.61|80    [05]   0.291s(       10.0.1.11 -> 66.5.1.1        )
006 =    144.232.3.193|80    [06]   0.324s(       10.0.1.11 -> 64.5.1.1        )
006 =   192.205.32.109|80    [07]   0.340s(       10.0.1.11 -> 66.5.1.1        )
007 =    144.232.9.214|80    [07]   0.379s(       10.0.1.11 -> 64.5.1.1        )
007 =    12.122.11.217|80    [07]   0.413s(       10.0.1.11 -> 66.5.1.1        )
008 =    144.232.18.42|80    [08]   0.444s(       10.0.1.11 -> 64.5.1.1        )
009 =    144.232.6.126|80    [09]   0.508s(       10.0.1.11 -> 64.5.1.1        )
009 =    12.122.11.106|80    [08]   0.571s(       10.0.1.11 -> 66.5.1.1        )
001 =       64.81.64.1|80    [01]   0.620s(       10.0.1.11 -> 64.8.1.1        )
010 =    12.123.24.137|80    [09]   0.632s(       10.0.1.11 -> 66.5.1.1        )
001 =       64.81.64.1|80    [01]   0.637s(       10.0.1.11 -> 65.8.1.1        )
001 =       64.81.64.1|80    [01]   0.654s(       10.0.1.11 -> 66.8.1.1        )
002 =    63.251.53.219|80    [02]   0.658s(       10.0.1.11 -> 64.8.1.1        )
002 =    63.251.53.219|80    [02]   0.679s(       10.0.1.11 -> 65.8.1.1        )
002 =    63.251.53.219|80    [02]   0.700s(       10.0.1.11 -> 66.8.1.1        )
003 =     63.251.63.79|80    [03]   0.718s(       10.0.1.11 -> 64.8.1.1        )
003 =     63.251.63.70|80    [03]   0.767s(       10.0.1.11 -> 66.8.1.1        )
004 =    63.211.143.17|80    [04]   0.788s(       10.0.1.11 -> 64.8.1.1        )
004 =     63.145.224.1|80    [05]   0.829s(       10.0.1.11 -> 66.8.1.1        )
005 =   209.244.14.197|80    [05]   0.847s(       10.0.1.11 -> 64.8.1.1        )
005 =    205.171.14.97|80    [06]   0.891s(       10.0.1.11 -> 66.8.1.1        )
006 =   209.247.10.233|80    [07]   0.908s(       10.0.1.11 -> 64.8.1.1        )
006 =   205.171.205.30|80    [06]   0.949s(       10.0.1.11 -> 66.8.1.1        )
007 =     64.159.0.218|80    [08]   0.958s(       10.0.1.11 -> 64.8.1.1        )
007 =   165.117.48.117|80    [08]   1.000s(       10.0.1.11 -> 66.8.1.1        )
008 =     64.159.2.164|80    [08]   1.019s(       10.0.1.11 -> 64.8.1.1        )
009 =       65.57.86.2|80    [13]   1.089s(       10.0.1.11 -> 64.8.1.1        )
009 =   165.117.68.161|80    [13]   1.134s(       10.0.1.11 -> 66.8.1.1        )
008 =   165.117.67.241|80    [14]   1.141s(       10.0.1.11 -> 66.8.1.1        )
010 =    66.109.14.137|80    [12]   1.150s(       10.0.1.11 -> 64.8.1.1        )
001 =       64.81.64.1|80    [01]   1.205s(       10.0.1.11 -> 64.15.1.1       )
001 =       64.81.64.1|80    [01]   1.221s(       10.0.1.11 -> 64.16.1.1       )
001 =       64.81.64.1|80    [01]   1.253s(       10.0.1.11 -> 64.17.1.1       )
010 =   165.117.200.77|80    [10]   1.260s(       10.0.1.11 -> 66.8.1.1        )
001 =       64.81.64.1|80    [01]   1.271s(       10.0.1.11 -> 65.15.1.1       )
001 =       64.81.64.1|80    [01]   1.287s(       10.0.1.11 -> 65.16.1.1       )
001 =       64.81.64.1|80    [01]   1.304s(       10.0.1.11 -> 65.17.1.1       )
001 =       64.81.64.1|80    [01]   1.322s(       10.0.1.11 -> 66.15.1.1       )
001 =       64.81.64.1|80    [01]   1.353s(       10.0.1.11 -> 66.16.1.1       )
001 =       64.81.64.1|80    [01]   1.371s(       10.0.1.11 -> 66.17.1.1       )
002 =    63.251.53.219|80    [02]   1.387s(       10.0.1.11 -> 64.15.1.1       )
002 =    63.251.53.219|80    [02]   1.407s(       10.0.1.11 -> 64.16.1.1       )
002 =    63.251.53.219|80    [02]   1.427s(       10.0.1.11 -> 64.17.1.1       )
002 =    63.251.53.219|80    [02]   1.448s(       10.0.1.11 -> 65.15.1.1       )
002 =    63.251.53.219|80    [02]   1.467s(       10.0.1.11 -> 65.16.1.1       )
002 =    63.251.53.219|80    [02]   1.478s(       10.0.1.11 -> 65.17.1.1       )
002 =    63.251.53.219|80    [02]   1.499s(       10.0.1.11 -> 66.15.1.1       )
002 =    63.251.53.219|80    [02]   1.529s(       10.0.1.11 -> 66.16.1.1       )
002 =    63.251.53.219|80    [02]   1.541s(       10.0.1.11 -> 66.17.1.1       )
003 =      63.251.63.3|80    [03]   1.638s(       10.0.1.11 -> 65.16.1.1       )
003 =     63.251.63.14|80    [03]   1.659s(       10.0.1.11 -> 65.17.1.1       )
003 =     63.251.63.67|80    [03]   1.727s(       10.0.1.11 -> 66.17.1.1       )
004 =    12.126.195.77|80    [04]   1.819s(       10.0.1.11 -> 65.16.1.1       )
004 =    63.211.143.17|80    [04]   1.842s(       10.0.1.11 -> 65.17.1.1       )
004 =   206.24.216.193|80    [04]   1.899s(       10.0.1.11 -> 66.17.1.1       )
005 =     12.123.13.58|80    [05]   2.012s(       10.0.1.11 -> 65.16.1.1       )
005 =   209.244.14.193|80    [05]   2.018s(       10.0.1.11 -> 65.17.1.1       )
005 =    206.24.210.61|80    [05]   2.081s(       10.0.1.11 -> 66.17.1.1       )
006 =   209.247.10.233|80    [07]   2.198s(       10.0.1.11 -> 65.17.1.1       )
006 =  208.172.146.103|80    [06]   2.261s(       10.0.1.11 -> 66.17.1.1       )
007 =     12.122.10.26|80    [08]   2.368s(       10.0.1.11 -> 65.16.1.1       )
007 =   209.247.11.169|80    [08]   2.423s(       10.0.1.11 -> 65.17.1.1       )
007 =  208.172.156.153|80    [08]   2.441s(       10.0.1.11 -> 66.17.1.1       )
008 =   209.247.11.182|80    [08]   2.603s(       10.0.1.11 -> 65.17.1.1       )
008 =   208.172.156.58|80    [09]   2.621s(       10.0.1.11 -> 66.17.1.1       )
009 =     12.122.12.58|80    [09]   2.762s(       10.0.1.11 -> 65.16.1.1       )
009 =   209.245.208.30|80    [09]   2.783s(       10.0.1.11 -> 65.17.1.1       )
009 =   208.172.146.19|80    [09]   2.810s(       10.0.1.11 -> 66.17.1.1       )
010 =    12.123.16.233|80    [10]   2.933s(       10.0.1.11 -> 65.16.1.1       )
010 =  216.212.127.198|80    [14]   2.969s(       10.0.1.11 -> 65.17.1.1       )
010 =   206.24.241.178|80    [13]   3.000s(       10.0.1.11 -> 66.17.1.1       )
006 =     12.122.11.81|80    [07]   4.226s(       10.0.1.11 -> 65.16.1.1       )

# Split mode operation.  Only thing syncing these two scans is the crypto.
bash-2.05a# scanrand -t0 -L -s this_is_a_demo &
[1] 39294
bash-2.05a# scanrand     -S -s this_is_a_demo www.slashdot.org
bash-2.05a#   UP:    66.35.250.150:80    [12]  16.062s
  UP:    66.35.250.150:443   [12]  16.063s

bash-2.05a# scanrand    -S  -s this_is_a_demo 10.0.1.1. -254:quick
  UP:        10.0.1.38:80    [01]  42.419s
  UP:       10.0.1.110:443   [01]  42.432s
  UP:       10.0.1.254:443   [01]  42.437s
  UP:        10.0.1.57:445   [01]  42.440s
  UP:        10.0.1.59:445   [01]  42.440s
  UP:        10.0.1.38:22    [01]  42.463s
  UP:       10.0.1.110:22    [01]  42.474s
  UP:       10.0.1.110:23    [01]  42.474s
  UP:       10.0.1.254:22    [01]  42.493s
  UP:       10.0.1.254:23    [01]  42.493s
  UP:        10.0.1.25:135   [01]  42.504s
  UP:        10.0.1.57:135   [01]  42.505s
  UP:        10.0.1.59:135   [01]  42.506s
  UP:        10.0.1.25:139   [01]  42.514s
  UP:        10.0.1.27:139   [01]  42.514s
  UP:        10.0.1.57:139   [01]  42.515s
  UP:        10.0.1.59:139   [01]  42.516s
  UP:        10.0.1.38:111   [01]  42.543s
  UP:        10.0.1.57:1025  [01]  42.563s
  UP:        10.0.1.59:1025  [01]  42.564s
  UP:        10.0.1.57:5000  [01]  42.573s
  UP:        10.0.1.59:5000  [01]  42.574s
bash-2.05a#   UP:        10.0.1.53:111   [01]  42.700s
  UP:        10.0.1.53:111   [01]  46.078s