Reconnaissance with Unicornscan

Port Scanning with Unicornscan

In this section of Hackers-Arise, we have looked at a variety of tools for port scanning and OS fingerprinting from nmap, hping and p0f. In this lesson on port scanning and reconnaissance, I want to introduce you to one more tool, unicornscan. While nmap is the most widely used port scanner for pentesters and hackers, it does have some shortcomings. First, it doesn't do OS fingerprinting very well. Second, it can be relatively slow; and lastly, it uses the TCP/IP stack of the underlying operating system for sending packets making easy for the target to determine the attacker's OS.

Before I go any further I want to add that there is no perfect tool. Each of these tools has its strengths and weaknesses. That's why it's wise to become familiar with more than one tool to do the job so that when a situation arises, you can select the proper tool for the job.

I. Unicornscan Introduction

Unicornscan is a sophisticated, powerful and stateless port scanner that uses stimulus into and measuring a response from any TCP/IP enabled device (there are billions out there). Although it has hundreds of features, some of its key features include;

  • Asynchronous stateless TCP scanning with each of the TCP flags or flag combinations

  • Asynchronous banner grabbing for application and OS fingerprinting

  • Asynchronous protocol specific UDP scanning

  • Active and Passive remote OS and application detection

  • PCAP file logging and filtering

  • Relational database output for storing the results of your scans

  • Custom module support so that pentesters can tailor it to their specific needs

  • Customized data set views.

One of the key features of unicornscan that sets it apart of nmap and other port scanners is that it has its own TCP/IP stack. The other port scanners all use the underlying host operating system's TCP/IP stack. This enables unicornscan to scan much more quickly than the others as it can, for instance, send out SYN packets with one thread and receive the responses with another thread. This can make a huge difference when scanning very large networks as a security researcher/ pentester where we might be scanning thousands of IP addresses and be even more important to an attacker who may be scanning millions of addresses looking for a particular open port or vulnerability. In addition, because it has its own TCP/IP stack, it is capable of sending packets with different OS fingerprints that the operating system of your host. This can be very useful for obscuring your identity, especially combined with IP spoofing.

Unicornscan is built into Kali, so no need to download, unpack and compile new software. Since it is installed in the /usr/bin directory, we can access unicornscan from the command line from any directory.

Let's get started with unicornscan.

II. Unicornscan Help

Let's begin by looking at the help file for unicornscan by typing;

kali > unicornscan -h

Since the help screen is so long, I captured it in two screenshots and displayed the second one below.

There is a LOT of information is this help file, so let's start with some simple scans to demonstrate the power of unicornscan and work up to some more complex examples.

The syntax for a basic unicornscan (default is a TCP SYN) scan is;

kali > unicornscan <host>

Let's try it against a Windows 7 machine on our network.

kali > unicornscan

This simple syntax will return for us the open TCP ports on the target system, very similar to the nmap -sS scan, but without the default ICMP that nmap uses. As you can see, unicornscan reports back to us that ports 135,139,445 and 554 are open on the target Windows 7 system.

What if we want to scan more than one IP address? Unicornscan has slightly different syntax for scanning multiple hosts than nmap or hping. Each of the hosts must be listed individually without a comma between them, as below.

kali > unicornscan

If we wanted to scan our entire network, we can use CIDR notation such as to scan all 255 IP addresses. Let's say we wanted to find all the IP that had port 80 open. We simply need to use the :80 notation after the CIDR notation such as;

kali > unicornscan

Here we can see unicornscan scanned the entire Class C network finding all the hosts with port 80 open.

Unicornscan is not limited to our internal network and this is where its speed becomes critical. What if I knew that a particular vulnerability existed on systems that had port 5505 open. I have no idea where these systems were. They could be anywhere in the world, meaning that I would have to scan over 4 billion addresses! I could break the scans down to smaller pieces, say a million at a time. I could use unicornscan to scan one million addresses looking for port 5505 by typing;

kali > unicornscan

III. TCP Scanning

Unicornscan defaults to a TCP scan without sending any ICMP, unlike nmap. By default, it sends a SYN scan. Let's say we wanted to scan our favorite IT security training site, hackers-arise.com, looking for ports 80 and 443 and sending 200 packets per second we could write;

kali > unicornscan -r200 -mT hackers-arise.com:80,443



indicates we want to send 200 packets per second


indicates we want to scan (m) using the TCP protocol


indicates the host and the ports we want to scan

As you can see, unicornscan only found port 80 open at hackers-arise.com

IV. UDP Scanning

What if we are looking for UDP ports? Since unicornscan, by default, sends TCP SYN packets, it will not find UDP ports unless we specify a UDP scan, similar to nmap. We can scan for UDP ports by simply replacing the T with a U after the -m, such as;

kali >unicornscan -r300 -mU hackers-arise.com


-r300 indicates we want to scan with 300 packets per second

-mU indicates we want to scan with the UDP protocol.

When we scan hackers-arise.com with a UDP scan, it finds no UDP ports open. This is not unexpected for a web server, but on a typical network you are likely to see many UDP ports open such 53, 161 and others.

V. Saving to a PCAP file

One of the other beauties of the unicornscan is its ability to save the returned packets to a PCAP file format. This enables us then to analyze the response packets at a later time with tools such as Wireshark. So, if we wanted to find hosts with port 5505 open and make it appear to be coming from an openBSD system with the IP address of we could write a command like this;

kali > unicornscan -r500 -w huntfor5505.pcap -W1 -s



indicates we want to scan with 500 packets per second

-w huntfor5505.pcap

indicates we want to write to a file named huntfor5505.pcap


indicates we want to packets to sent with the fingerprint of an openBSD system


indicates we want the packets to be sent with a spoofed IP that follows (

VI. Unicornscan Cheat Sheet

Unicornscan is a powerful scanner with hundreds of features, a few of which we have touched upon here. Probably its greatest advantage over other port scanners are the fact that it has its own TCP/IP stack enabling it to scan faster and spoof other TCP/IP stacks.

For the most common scanning, please find a cheat sheet below to assist you.

SYN : -mT

ACK scan : -mTsA

Fin scan : -mTsF

Null scan : -mTs

Xmas scan : -mTsFPU

Connect Scan : -msf -Iv

Full Xmas scan : -mTFSRPAU

scan ports 1 through 5 : (-mT) host:1-5

To spoof your IP use -s followed by the IP address.

To use another OS fingerprint use the -W switch followed by the numeric value of the OS.

0=Cisco (default) 1=openbsd 2= Windows XP 3= p0fsendsyn 4=FreeBSD 5= nmap

10,124 views0 comments