Information Gatheringport-scannertcp-scanningudp-scanningos-fingerprintingbanner-grabbingnetwork-scanning

Unicornscan

Unicornscan is a scalable, accurate, flexible, and efficient information gathering and correlation engine for security research. It provides a user-land distributed TCP/IP stack for advanced asynchronous stateless TCP and UDP scanning with OS and application identification.

Description

Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. Released under the GPL license, it serves as a superior interface for introducing stimuli into and measuring responses from TCP/IP enabled devices or networks.

The tool supports hundreds of individual features including asynchronous stateless TCP scanning with all variations of TCP flags, TCP banner grabbing, protocol-specific UDP scanning, and active/passive remote OS, application, and component identification through response analysis. Additional capabilities include PCAP file logging and filtering, relational database output, custom module support, and customized data-set views.

Unicornscan excels in high-performance network reconnaissance, enabling researchers to scan large networks efficiently while gathering detailed information about open ports, services, and system characteristics.

How It Works

Unicornscan operates as a user-land distributed TCP/IP stack that performs asynchronous stateless TCP scanning with customizable TCP flag combinations and protocol-specific UDP scanning that sends minimal signatures to elicit responses. It achieves high packet rates (shown as 963.9 pps in examples) through efficient packet transmission and reception, processing duplicate replies, ICMP errors, and TCP RSTs. The tool uses PCAP filtering for precise response capture and supports custom output formats, module-based processing, and relational database integration for correlation and analysis of scan results.

Installation

bash

sudo apt install unicornscan

Flags

-mTsfSet scan mode to TCP scan with specific flags and features

-IvEnable interface specification and verbose output

-rSet packets per second rate (total, not per host)

-iSpecify network interface to use

-IUse specific interface(s)

-b, --broken-crcSet broken CRC sums on Transport layer, Network layer, or both

-B, --source-portSet source port or whatever the scan module expects

-c, --proc-duplicatesProcess duplicate replies

-d, --delay-typeSet delay type (1:tsc 2:gtod 3:sleep)

-D, --no-defpayloadNo default payload, only probe known protocols

-e, --enable-moduleEnable modules listed as arguments (output and report)

-E, --proc-errorsProcess 'non-open' responses (ICMP errors, TCP RSTs)

-F, --try-fragsTry fragmentation

-M, --module-dirDirectory where modules are found

-o, --formatFormat of what to display for replies

-p, --portsGlobal ports to scan if not specified in target

-P, --pcap-filterExtra PCAP filter string for receiver

-q, --covertnessCovertness value from 0 to 255

-Q, --quietDon't use output to screen

-R, --repeatsRepeat packet scan N times

-v, --verboseVerbose output (more v's = more verbose)

Examples

Performs TCP scan on all ports (a) of target 192.168.0.102 at 1000 packets per second using interface eth0, showing open ports like 445, 443, 161, 80, 139 with service names and TTL

unicornscan -mTsf -Iv -r 1000 192.168.0.102:a

Scans 192.168.1.0/24 network ports 1-4000 and gateway all ports at 160 pps with error processing enabled using eth1 interface

unicornscan -i eth1 -Ir 160 -E 192.168.1.0/24:1-4000 gateway:a

Sends TCP SYN packets with NO SYN|FIN|NO Push|URG flag combination to target

unicornscan -mTsFpU 192.168.0.102

Scans specific port 445 on target, showing TCP open connection details

unicornscan 192.168.0.102:445

Displays help for the us wrapper of unicornscan

us -h

Uses companion fantaip tool to spoof IP on eth0 interface for target 192.168.1.7

fantaip -i eth0 192.168.1.7

Processes PCAP file with unibrow tool filtering for UDP port 500 and outputs to new.conf

unibrow -o new.conf -i file.pcap port 500 and udp

Updated 2026-04-16kali.org ↗