|
icescan − network auditing/exploration tool and port scanner. |
|
icescan [scan_type] [options] <target> |
|
IceScan is an open source tool (GPL licenced) for network audit and exploraion. You can find that IceScan in some options and features very close to Nmap and that’s the true. IceScan was written for educational purposes, but even now have some features, that doesn’t exists in other free network auditing tools, so you may find it useful in process of security auditing your network(s). Either as Nmap, main result provided by IceScan is ports table. It consist of three columns: port number/protocol, port state and service. Port can have different states: open, closed, filtered (filt), open|filtered (o|f) and unfiltered (unfilt). Open port means that there’s an application on target, listening for connections/datagrams on this port. Filtered port is a port blocked by firewall. Closed ports have no applications listening on them, but access isn’t blocked by firewall. Unfiltered port isn’t blocked by firewall and may be opened or closed. And at last, open|filtered port means that port isn’t closed and IceScan can’t determine which state is has: opened or filtered. The service column provide some information about application that running or can be run on this port. This information may include supposed protocol or application name and version. The other type of results may include discovery(reverse DNS lookups, MACs timestamps, etc), fingerprinting (OS version, device type and etc) information and also some vulnerability testings. IceScan can work in two modes: active (nmap-like mode) and passive. In active mode, it acts as standart port scanner. In passive mode, IceScan do not send any packets, instead of this, it listens for incoming packets and try to create "map" of the network. Two modes can be combined: passive discovery with following active scanning. Also see README and INSTALL for more on using/installing IceScan and NEWS for information about IceScan news. You can download the newest version of IceScan from homepage , or, from CVS: pserver:anonymous@icescan.cvs.sf.net:/cvsroot/icescan, module name is IceScan. |
|
This options summary is printed when IceScan is started with no arguments - a short crib to all IceScan commands and specific options. Beware that options list may change from version to version. |
USAGE: icescan [options] [scan type] <target specification>
TARGET SPECIFICATION:
target can be hostname, IP address (or range) or CIDR block
−iL <filename> | − (stdin): input targets from file|stdin
−−exclude <host1[,host2][,host3],...> (exclude hosts/nets)
−−excludefile <filename>| − (stdin) (exclude list from file|stdin)
HOST DISCOVERY:
default is PA and PE.
−P0: skip host discovery
−PA/PF/PS: ACK/FIN/SYN Ping host discovery
−PR: ARP host discovery
−PE/PT/PM: ICMP Echo/Timestamp/Mask host discovery
−PU: UDP ping discovery
−PP [seconds]: passive discovery; capture packets for [seconds]
−n: disable reverse−dns lookups
−−use−first−resolve: use only 1st IP in DNS resolving of target
−−dns−servers <dns1[,dns2],...>: specify custom DNS servers
−−system−dns: use standart(OS) DNS resolver
SCAN:
default is tcp connect() or TCP SYN
−ST/SA/SS/SW/SM: tcp connect()/ACK/SYN/Window/Mainmon scan
−SB: udp NetBIOS scan
−SI: IP Protocol scan
−SN/SF/SX: stealth tcp Null/FIN/XMAS scan
−SP [seconds]: passive scan; capture packets for [seconds]
−SU: udp scan
−S0: no scan
−SL: list scan
−−scanflags <flags>: Customize TCP scan flags (SF/SX/SN scans)
−−data−length <len>: Append random data to sent packets
−p <port range>: specify port range to scan (default 1−1024), example: 1-10,12-14
OS DETECTION:
−O: passive os fingerprinting (works with −SS and −SP)
INTERFACES:
−−list-interfaces: list all interfaces
−e <iface−number>: use interface <iface−number> for pcap/source iface
−−pcap-filter "expression": use pcap filter
−−send-eth: use channel(2) level to send raw packets
−−send-ip: use network(3) level to send raw packets
−−promisc: put interface(s) in promiscuous mode
−−input-dumpfile: input tcpdump file for passive scan/ping
TIMING AND PERFORMANCE:
−T< 0 | 1 | 2 | 3 | 4 >: Specifies probe round trip time
−−min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time
−−max−retries <tries>: Caps number of port scan probe retransmissions
−−scan-delay/−−max−scan−delay <time>: Adjust delay between probes
SCRIPTING && IDS
−SC: script scan
−−script <script filename>: script name to run
FW/IDS EVASION AND SPOOFING:
−s <IPv4 address>: spoof source address
−−source−port/−g <portnum>: use specified source port number
−−ttl <value>: set IP time−to−live field
−−bounce−http−proxy <<hostname>:<port>>: connect() through HTTP proxy
−−ip−options < R | T | U >: add specific IP option to outgoing packets
−−tcp−options <N|E|S|T0|T|?x|Mx|Wx,...>: add specific tcp options
−−badchksum: send packets with a wrong TCP/UDP checksums
OUTPUT
−oI/oG <filename>: Output scan in normal/grepable format to given file
−oA <base_filename>: Output in all formats at once
−w <filename>: dump all recieved packets to file
−−packet−trace: print all packets that sent and received
−−open: show only open (or possibly open) port(s)
−d<debug level>: set debug level (values from 1 to 9 available)
−v[v[v[v]]]]: verbose levels
OTHER:
−−uid0: assume that the current user is fully privileged
−−uid1: assume that the current user isn’t fully privileged
−V/−−version: print version information and exit
−?: this message
|
|
For useful work, IceScan requires only one argument − target. Single target may be hostname, dns or IP address of machine you want to scan. Here are some examples of targets: 127.0.0.1, icestation, novell.com, 205.217.153.62 and etc. If target is domain name and it resolves in many IPs, IceScan will process all of them neither --use-first-resolve option is used. Also you may use multiple target definition: CIDR notation. CIDR(Classless Inter-Domain Routing) blocks are identified using a syntax similar to that of IPv4 addresses: a four-part dotted-decimal address, followed by a slash, then a number from 0 to 32: A.B.C.D/N. The dotted decimal portion is interpreted, like an IPv4 address, as a 32-bit binary number that has been broken into four 8-bit bytes. The number following the slash is the prefix length, the number of shared initial bits, counting from the left-hand side of the address. Example: giving IceScan 192.168.0.0/24 will force scan of IPs 192.168.0.0 - 192.168.0.255 (including network and broadcast addresses). Multiple targets also can be defined in one line, separated with spaces. You can mix CIDR blocks, IPs or domain names. For example: icescan -n -P0 -SF 127.0.0.1 192.168.0.0/24 scanme.nmap.org -iL <filename> | - (stdin) (input targets from file|stdin) |
|
Target(s) will be read from specified file or stdin, instead of command line arguments... |
|
--exclude <host1[,host2][,host3],...> (exclude hosts/nets) |
|
Specified domain names, hosts and networks will be excluded from target(s) list. Note: NO RESOLVING from domain names here. |
|
--excludefile <filename>| - (stdin) (exclude list from file|stdin) |
|
Same as previous option, but exludes list will be read from specified file or stdin. |
|
Before you can scan the target machine, you should check is it really up. If you don’t know this, you can incorrectly interpret port scanning results. Also, host discovery can provide you some additional information on target, such as MACs, timestamps and etc. Note: -P* options can be combined. By default -PE (root-mode) or -PA (non-root mode) are on. −P0 (no ping) |
|
This options tells IceScan skip host discovery process and set target(s) to be up. |
|
−PA/-PF/-PS [portlist] (ACK or connect()/FIN/SYN ping) |
|
To discover that target is up, IceScan tries to send ACK (or connect() if non-superuser), FIN or SYN packet to all ports in portlist (or, if no portlist specified, to port 80) and if target replies in any way, it’s determined as up. This discovery used by default. See -p option for details on portlist. |
|
−PU [portlist] (udp ping) |
|
In UDP ping, IceScan sends UDP datagrams to target host and, if host replies with udp or icmp message, it’s determined as up. Portlist defines UDP destination ports, and, if no portlist specified port randomly selecting in interval of [30000, 65535].This scan requires superuser privileges. See -p option for details on portlist. |
|
−PE/-PT/-PM (ICMP Echo/TimeStamp/NetMask pings) |
|
This is "standart" host discovery way: through ICMP protocol. IceScan send echo/timestamp/netmask request to target and waiting for reply. If reply recieved, target is up. This scan requires superuser privileges. -PE is default option for discovery. |
|
-PR (ARP host discovery) |
|
This is an ARP low-level host-discovery. IceScan send target some message, and then, check ARP cache for target’s IP. If it is there, target is up. When you run -PR under non-superuser, IceScan sends UDP datagram to port 138, hoping that OS will do ARP the best. Under superuser it sends only standart ARP Request. ARP Ping useful only on local networks. |
|
-PP [seconds] (passive discovery for timeout in seconds) |
|
This is a passive discovery. IceScans sleeps for some seconds and collects network traffic on specified by -e interface (or gets it immediately from file, specified by --input-dumpfile). All collected traffic being parsed and any activity from host (e.g. TCP, UDP, IP or ARP) automatically sets it discovered. Note: if listening timeout is specified for -SP also, the maximum timeout will be used. If no timeout given at all, IceScan will collect data until Ctrl-C is hit. |
|
−n (no dns lookups) |
|
This option tells IceScan that it should not make reverse-dns lookups (e.g. lookups for domain-name by IP address). Sometimes, it can make discovering process faster. |
|
--use-first-resolve (use only 1st IP in DNS resolving of target) |
|
When IceScan given a domain name that resolves in multiple IPs, only the first IP will be processed for discovering/scanning. |
|
--dns-servers <dns1[,dns2],...> (specify dns servers) |
|
By default, IceScan tries to resolve all domain names using DNS servers, that specified in system settings (e.g. /etc/resolv.conf or registry). Here, you can define custom dns servers, that will be used instead. |
|
--system-dns (use standart(OS) DNS resolver) |
|
Use gethostbyname() and etc resolver (also known as system resolver) instead of internal IceScan resolve system. |
|
The defailt post scanning methods are connect() in non-superuser mode and tcp SYN in superuser mode. -ST (tcp connect()) |
|
The simplest scan engine, that use standart BSD sockets API function connect(). IceScan tries to connect() to specified port(s) and use getsockopt() function to detect its status. This is not a very good choice for stealthy scan. Moreover, this scan type is easily detected with firewall and IDS software. But this is the only scan method in non-superuser mode. |
|
-SS (tcp SYN scan) |
|
The most-known and most-efficient scan method. It’s stealthy, fast and almost reliable. We send tcp-SYN segment to target port, and, if we get RST answer, the port seems to be closed; if we recieve tcp SYN/ACK segment, the port is open, we should send RST packet to close connection. If we get no reply at all, the port is filtered. |
|
-SA/SW (tcp ACK/Window scan) |
|
Two scan methods, based on same methodic -- we sent tcp segment, and if we recieve RST packet, target port is unfiltered (if we use ACK scan). With Window scan we can determine if port open or closed in rare cases, by checking return window size (if it’s more than 0, target port is open). But it doesn’t work very good in modern tcp stecks. |
|
-SB (udp NetBIOS scan) |
|
With this type of scan, you can determine varios NetBIOS states of target system. |
|
-SI (IP Protocol scan) |
|
IP protocol scan can determine what protocol types (TCP, ICMP, IGMP, etc.) supported by target host. It use raw IP packets and ICMP messages to check it. |
|
-SN/SF/SX/SM (stealth tcp Null/FIN/XMAS/Mainmon scan) |
|
Rare variations of TCP scan. With this scan types, we send tcp segment with none/FIN/FIN+PSH+URG/FIN+ACK flags set. If we recieved an RST packet, we set port status to closed, else we think that it’s open|filtered port. |
|
-SP [seconds] (passive scan) |
|
In passive scan we capture packets for a given interval or until Ctrl-C is hit. Network traffic can be recieved from interface (-e option) or from dumpfile (--input-dumpfile option). Target argument(s) act like filter in this scan type: every packet that doesn’t fit target specification will be ignored). But you set target to 0.0.0.0/0 to explore all hosts mentioned in network traffic data. When tcp SYN+ACK/RST packet is recived by IceScan, it detemines, that source port on source target is open/closed. This scan type also can be used in combination with passive OS (-O) fingerprinting option to detect target’s OS. Also, with passive scan you can gain information about MAC addresses, MTUs and timestamps. |
|
-SU (udp scan) |
|
This is the slowest and most unreliable type of scan. We sending udp packet to target portm and if we recive any answer, the port seems to be open. If we recive ICMP unreacheble packet, the port is closed. In any other cases it means that the port is open|filtered. |
|
-S0 (no scan) |
|
No scan: all target will be skipped at all or discovered (if -P0 option doesn’t specified). Useful for discovering up hosts in network without scanning ´em. |
|
-SL (list scan) |
|
No scan and discover, only try to detect target’s MAC and IP/reverse DNS name. Only for testing purposes. |
|
--scanflags <flags> (customize TCP scan flags) |
|
With this option, you can set custom tcp flags for sending tcp segments in SF/SX/SN scans. The notation is simple: <URG|ACK|PSH|RST|SYN|FIN[ URG|ACK|PSH|RST|SYN|FIN]...>. |
|
--data-length <len> (append random data to sent packets) |
|
After using this option, a random-generated junk will be appended to all tcp/udp/ip packets that will be sent during scan. It’s a good practice to evade some stupid firewalls or IDSes. |
|
-p <port range> (specify port range to scan) |
|
The default port range is 1-1024, but you can specify your own port range. The syntax is simple -- ranges or single ports separated with commas. For example: 1-10,12-14,22. |
|
IceScan can detect remote host OS using the passive OS fingerprinting. The main principle of such method, is that we didn’t sent fingerprinting queries to the target machine, but instead of it use its replies to standart scan probes (in active scan mode) or captured traffic data (in passive scan mode). The OS fingerprints stored in database (passive-osfp file) with special format. IceScan uses same fingerprint database format as in p0f tool and some detecting methods, derived from p0f. Note: IceScan passive fp database was made from scratch and differs from p0f. The database format is simple: [tcpsyn] # tcp syn signatures [tcpsynack] # tcp syn+ack signatures [tcprst] # tcp rst signatures For more information of signatures format, see passiveos-fp file. -O (passive os fingerprinting) |
|
Passive OS fingerprinting works only with -SS and -SP scan types. It prints possible OS after port table, and signature if can’t detect OS type. In such case, if you know target OS type and version, please send following output and full description of scanned device to icescan-devs@lists.sourceforge.net. |
|
With options of this section you can define way how packets will be delivered to network by IceScan and the way how they will be captured from there. --list-interfaces (list all interfaces) |
|
Simply lists all network interfaces (with their numbers) that are available for packet sending/recieving. |
|
-e <iface-number> (use specific interface for capture/send) |
|
If this option used, the IceScan will listen and send packets from selected interface (interfaces numbers can be printed with --list-interfaces option). All other interfaces and interface auto-detection will be disabled. |
|
--pcap-filter <"expression"> (use pcap filter) |
|
If this option set, all incoming packets will be filtered with pcap filter "expression". For more information on pcap filters, check TCPDUMP ( http://www.tcpdump.org ) homepage. |
|
--send-eth (use channel(2) level to send raw packets) |
|
IceScan will use pcap mechanism for injecting packets into network. This is default in almost cases. |
|
--send-ip (use network(3) level to send raw packets) |
|
IceScan will use rawsockets mechanism for injecting packets into network. Note: this won’t work on some operating systems (such as modern NT systems or Linux kernels). |
|
--promisc (put interface(s) in promiscuous mode) |
|
All interfaces used by IceScan will be opened in promiscuous mode. Useful for passive scanning, but almost useless for active scan mode. |
|
--input-dumpfile <dumpfile> (input tcpdump file for passive scan/ping) |
|
Instead of interface open, IceScan will recive packets from tcdump file or from stdin (when - as a filename is used). |
|
IceScan has small scripting features, based on LUA. Currently, scripting engine in early development stages and highly experimental. -SC (script scan) |
|
IceScan will try to execute script, passed with --script option after open port is discovered and port type satisfy script conditions. |
|
--script <script filename> (script name to run) |
|
Sets script filename to load and run after discovering any open port. |
|
Options in this section used for customizing outgoing IP packets to make them chance of evading firewall and/or IDS. -s <IPv4 address> (spoof source address) |
|
With this option, you can set source address of outgoing packets. |
|
--source-port/-g <portnum> (use specified source port number) |
|
In default mode of operation, IceScan select source port randomly from range of 9999-65534. This option forces outgoing tcp/udp packets have predefined source port. |
|
--ttl <value> (set IP time-to-live field) |
|
After setting this option, all outgoing IP packets will have specified value in TTL field. |
|
--bounce-http-proxy <<hostname>:<port>> connect() through HTTP proxy |
|
If you have address(es) of HTTP proxy, you can use them in your connect() (-ST) scans to reach more stealthiness. IceScan will try to pass probes through HTTP proxy, instead of direct connection. |
|
--ip-options < R | T | U > (add specific IP option to outgoing packets) |
|
With this option you can add specific (only one) option to outgoing packets: R (record route), T (record internet timestamps), U (record timestamps and ip addresses). Only one option still can be specified at one time. |
|
--tcp-options <N|E|S|T0|T|?x|Mx|Wx,...> (add specific tcp options) |
|
Add specific TCP options to outgoing packets, like timestamp, MSS and more. Options are passed in string, with comma as delimeter. Here are all list of available options: N - NOP option E - EOL option Wx - window scaling option, value x Mx - maximum segment size option, value x S - selective ACK OK T - timestamp T0 - timestamp with zero value ?n - unrecognized option number n. Options will be applied to all outgoing tcp segments in superuser mode. |
|
--badchksum (send packets with a wrong TCP/UDP checksums) |
|
All outgoing packets CRC filed will be filled with random junk value. |
|
Output options configure IceScan output parameters, debugging and logs. Currently, IceScan supports two types of output formats: normal (also known as "nmap-style") and grepable (useful for parsing with sed, awk, grep and other tools). In all cases when you can set filename you can also use "-" if you want print information to stdout. -oI/oG- <filename> (output results in normal/grepable format to file) |
|
Results of IceScan will be put to file (or to stdout) in selected format. You can combine options to output with different formats into different files. |
|
-oA <base_filename> (output in all formats at once) |
|
Results of IceScan will be put into files base_filename.icescan (normal style) and base_filename.grep (grepable style). |
|
-w <filename> (dump all recieved packets to file) |
|
All recieved packets will be dumped to tcpdump-format file specified by filename. |
|
--packet-trace (print all packets that are sent and received) |
|
Every recieved and sent packet/connection will be printed in tcpdump style. By the way, with this options, you can easily use IceScan instead of tcpdump, just type: icescan -e <interface> -P0 -SP --packet-trace 0.0.0.0/0 |
|
--open (show only open/possibly open ports) |
|
In output port tables only open (or possibly open, such unfiltered state) ports will be shown; other ports will be skipped. |
|
-d<debug level> (set debug level) |
|
Sets IceScan debug output on with selected level. Levels from 1 to 9 are available. |
|
-v[v[v[v]]]] (verbose levels) |
|
Sets IceScan output verbosity level. Four levels are available. Setting upper levels may fill your screen with MUCH useless and unimportant information, be careful! |
|
Misceleanous options of IceScan. --uid0 (assume that the current user is fully privileged) |
|
If you set this option, IceScan will work as it has superuser proveleges (e.g. root in *nix or Administrator in NT systems). |
|
--uid1 (assume that the current user isn’t fully privileged) |
|
If you set this option, IceScan won’t use any features, that require superuser priveleges. |
|
-V/--version (print version information and exit) |
|
IceScan will print version information, information of used libraries and exit. |
|
-? (help message) |
|
Short scrib anout all IceScan parameters and options. |
|
Here are some examples of IceScan usage. To collect information about all hosts in network segment using the passive scan, use: icescan -n -v -SP -e <interface_number> 0.0.0.0/0 To list available interfaces, sumply type: icescan --list-interfaces To scan target in active mode with FIN-scan, type: icescan -SF <target_ip> To use OS fingerprinting feature in active scan mode, you can use: icescan -O -SS -v <target_ip> |
|
IceScan is still under constant development, so it is possible that you will encounter a bug while using it. Please report bugs to <icescan-devs(at)lists.sourceforge.net>. ( http://lists.sf.net/mailman/listinfo/icescan-devs ) Be sure you tell us: |
|
1) |
Operating System and version (the command ’uname -sr’ may tell you this, although on Linux systems it will probably tell you only the version number of the Linux kernel, not of the distribution as a whole; on Linux systems, please tell us both the version number of the kernel, and which version of which distribution you’re running). |
||
|
2) |
Version of libpcap, libdnet and libpcre. Compressed config.log file. |
||
|
3) |
Version of IceScan (the command ’icescan -V’ will tell you, unless the bug is so severe as to prevent that from working, and should also tell you libraries with which it was built). |
||
|
4) |
The command you used to invoke IceScan, and the sequence of operations you performed that caused the bug to appear. |
|
If the bug is produced by a particular trace file, please be sure to send a trace file along with your bug description. Please don’t send a trace file greater than 1 MB when compressed. If the trace file contains sensitive information (e.g., passwords), then please do not send it. If IceScan died on you with a ’segmentation violation’, ’bus error’, ’abort’, or other error that produces a UNIX core dump file, you can help the developers a lot if you have a debugger installed. A stack trace can be obtained by using your debugger (’gdb’ in this example), the IceScan binary, and the resulting core file. Here’s an example of how to use the gdb command ’backtrace’ to do so. $ gdb icescan core (gdb) backtrace .... prints the stack trace (gdb) quit $ The core dump file may be named "icescan.core" rather than "core" on some platforms (e.g., BSD systems). |
|
Alexander Bolshev[Key] <key(at)timeold.ru> (http://sf.net/projects/icescan) Also, big work for bringing IceScan to life was done by Konstantin Karpov[Q_] <q_(at)peterstar.ru> See AUTHORS for more details and names of people who made contributions to IceScan or whos code/algorithms/etc implemented in IceScan. |
|
<icescan-cvs(at)lists.sourceforge.net> -- IceScan CVS History. Here you can see latest CVS patches and monitor development process of IceScan. <icescan-devs(at)lists.sourceforge.net> -- IceScan Developers and Users list. Write here, if you want to propose a patch, report about wanted feature, or simply ask developers about IceScan work. Also, send bugs here, if you find any. You can subscribe at mailing lists page. |
|
1. Libpcap portable packet capture library 3. PCRE library 4. Libdnet 5. arp-scan 6. p0f |
|
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation, This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. You should use this software only for LEGAL purposes. See COPYING for more details. |