• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

scanrand – Download Stateless TCP Scanner with Syn Cookies

December 10, 2007

Views: 17,747

[ad]

Scanrand is extremely quick and effective port scanner. It works by forking two distinct processes:

  • One to send the initial queries
  • One to receive responses and reconcile them from the above

This makes it extremely fast.

If you haven’t heard of the suite, Scanrand is one of the five tools in Paketto Keiretsu by Dan “Effugas” Kaminsky of Doxpara Research.

Scanrand implements numerous options; reasonable defaults are selected when no specific guidance is received from the user. The only thing mandated is a target destination, which may be specified using either a FQDN(Fully Qualified Domain Name) or a numeric specification.

These numerics may employ any number of dashes, commas, or combination thereof at the same time. For example, scanrand 10.0.1-255.1-10,20:80,137-139 works fine.

More ports will be scanned by default when scanning a single host than when sca
nning a network. Scanrand is able to estimate remote hopcount by examining incoming TTLs.

Note please to install scanrand you need to first install the provided libnet, libtomcrypt and libpcap tarballs.

It’s a good alternative to nmap for certain purposes

You can read a good article on Scanrand here:

Scanrand Dissected: A New Breed of Network Scanner

The article includes nmap vs scanrand.

You can download Scanrand here (as part of Paketto):

paketto-1.10.tar.gz

Or read more here.

Share
Tweet1
Share
Buffer
WhatsApp
Email
1 Shares

Filed Under: Hacking Tools, Networking Hacking Tools Tagged With: dan-kaminsky, Network Hacking, port-scanner



Reader Interactions

Comments

  1. goodpeople says

    December 10, 2007 at 3:16 pm

    Nice tool to have next to nmap.

  2. mumble says

    December 10, 2007 at 3:29 pm

    Unless you’re trying to make someone’s IDS jack clear out of the rack and land in the sysadmin’s lap, speed is probably not your main concern. The correct hacking tool for this job is GNU screen. Start a screen session with a nice, slow, low-impact scan that won’t set off the IDS – then suspend the session and go make yourself something to eat and a fresh pot of coffee. Later, re-connect to the machine and pick up your results.

  3. net2004eng says

    December 10, 2007 at 3:42 pm

    Scanrand is a very fast scanner that has been around for a little while. This tool is integrated into the BiDiBLAH framework as well.

    @mumble

    I agree, I would think twice about using this scanner depending on what type of environment I am in – if I know there are a IDS/IPS’s’ deployed.

  4. midnitesnake says

    December 10, 2007 at 10:26 pm

    looks similar to synscan http://bindshell.net/tools/synscan

  5. Pantagruel says

    December 10, 2007 at 11:31 pm

    Like -Mumble- and the article comparing scanrand and nmap mentions, if you want every to light up like a X-mas tree take scanrand. I did a run, it is hardly subtle and will point into the users direction. But as with many tools, it sure is another usefull addition to your toolbox, albeit one for the quick and dirty work.

  6. mumble says

    December 11, 2007 at 12:09 am

    This is a it different from synscan. While they’re both half-open (syn) scanners, synscan doesn’t use the reverse syncookies approach. What would be an interesting hack for scanrand is to run the packet generator on one box, and the receiver on a different box. After all, you don’t actually have to receive the packets at all – just sniff them – so the dest. box doesn’t even have to be involved – it just has to be on the same lan segment as the destination. ARP ARP :-)

  7. dirty says

    December 11, 2007 at 5:17 am

    -T 5 in nmap will also wake the neighbors too…the speed function is more for internal testing where its known you are testing…. @mumble- definitely agree slow and easy is the way for malicioussneaky probes…

    Definitely a good addition to the toolbox though….

  8. Sir Henry says

    December 14, 2007 at 4:53 pm

    My question is how the sys packets look to the firewall or IDS compared to those sent during a normal handshake? I have read that the syn packets being sent from different scanners are crafted differently than those sent during a legitimate handshake.

  9. net2004eng says

    December 14, 2007 at 5:10 pm

    @Sir Henry

    Isn’t the goal of sending a syn scan to illicit a response or no response from the end host. I know you can craft packets with hping, nemesis, etc.. but the goal here is typically different.

    In respect to the actual syn’s sent by nmap, scanrand, unicornscan, etc… I would inspect the packets with tcpdump/windump while they leave your machine, and take a look at the way they appear when they arrive at the destinaition. I know MS and Linux implement the tcp stack in different ways, and this very well could imapct he way packets leave your machine, but that would be independent of the tool… Also, I know with snort, that it can identify what scanner you are using, but I think this is based off of a collection of multiple captures…if you send a single syn to one host, I don’t think Snort, nor any other IDS/IPS system, would be so sensitive to be able to tell you what tool is performing the scanning…and you wouldn’t want it to either (at least that might be way too sensitive for me)!

    This being said, I’m not an IDS/IPS expert by any means…

  10. Sir Henry says

    December 14, 2007 at 5:33 pm

    Nor would I proclaim expertise in the ways of IDS/IPS. I do know, however, that if I am sending a SYN packet, I do not want there to be a false negative or drop from the FW because it is crafted in a way that can be detected as a scanner packet. With my SYN scan, I would want to know which hosts are truly alive and not just dropping because they know I am scanning and not embarking on a true SYN request. So, although I do agree with some points, my point is to know that my scan is obtaining all information available and not experiencing false negatives.

  11. goodpeople says

    December 17, 2007 at 11:29 am

    Different target OSses have different responses. You can never be sure that you don’t have false positives or negatives.

  12. Sir Henry says

    December 17, 2007 at 11:35 am

    I agree, goodpeople, but my interest is eliminating a potential for a false negative as much as I can. Just one example of that is to simply make sure that my probes are going out in the same way a legitimate connection probe would. I would hate to be doing consulting work for a firm and realize only after the fact that, had I crafted the packets in a different way than how they are sent from a scanner, I might have gotten different, perhaps more sensitive, responses.

  13. mumble says

    December 17, 2007 at 12:12 pm

    It would have to be a pretty tight environment for the admin to get away with using a passive OS-specific firewall rule on a box. I do know the the OpenBSDs PF firewall can do it, but very few people would. Too high a probability of running into one or two machines which are running an odd OS version and flag incorrectly.

    When NMAP is running as root, it can be set up to use direct packet injection. It does so by default on windows boxes to get around the WinXP-SP2 raw sockets disabled problem. If NMAPs packet structure is a problem, it really wouldn’t be all that hard to make it look like anything you want it to.

    As the cook says, “Use the Sauce…”

  14. mumble says

    December 17, 2007 at 12:22 pm

    Thinking about this in slightly more depth — there’s probably a good article in this for Phrack or 2600… Especially if you can identify the scanner’s signature well enough that the false positive rate is down in the noise.

    I know that you can immediately forget about the idea of detecting the difference between a “Connect” scan and the real deal, because the scanners all use the OS connect() implementation, as far as I know. Fin and Xmas-tree scans are easy to see on a stateful inspection firewall, and most will just drop the packet. (PF, for example, will happily drop it on the floor…) I’ll have to set up a few boxes and see what happens.

  15. Sir Henry says

    December 17, 2007 at 2:08 pm

    @mumble:

    Your last comment is exactly that of which I am speaking. Let me know what you find out with your testing. I would be very interested to find out the results.

  16. mumble says

    December 17, 2007 at 3:11 pm

    @Sir Henry
    Drop me a line. GPG Key ID: D005B227. You can use the email address on the keyserver. I’d post it here, but…spambots.

  17. Sir Henry says

    December 17, 2007 at 3:39 pm

    @mumble:

    Will do. It would be cool to work on something like this with you.

  18. eM3rC says

    January 6, 2008 at 10:14 pm

    I would personally prefer nmap over scanrand but very nice post.

    @Sir Henry and mumble

    It would be awesome to hear what you guys come up with.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Falco - Real-Time Threat Detection for Linux and Containers

Falco – Real-Time Threat Detection for Linux and Containers

Views: 298

Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest … ...More about Falco – Real-Time Threat Detection for Linux and Containers

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Views: 591

As threat surfaces grow and attack sophistication increases, many security teams face the same … ...More about Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 556

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 594

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 451

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 676

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (235)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,297,556)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,103)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,638)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,691)
  • Password List Download Best Word List – Most Common Passwords (933,521)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,170)
  • Hack Tools/Exploits (673,298)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,183)

Search

Recent Posts

  • Falco – Real-Time Threat Detection for Linux and Containers May 19, 2025
  • Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance May 16, 2025
  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy