Sunday, January 9, 2011

Installing Unicornscan on a current Ubuntu Distro

So get unicornscan from here : -- current version I could find is 0.4.7

you'll need some depenedencies

apt-get install flex bison

apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev

* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation :-(

apt-get install texlive-extra-utils

Fix up weird lib issues see at the bottom for where i got this:

blah@blah:$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

blah@blah:$ for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

apply this patch

./configure CFLAGS=-D_GNU_SOURCE
make install

after that it woud compile and run.

I did have to really crank down the pps to get it to actually run, default is 300 i had to use around 75-100

sudo unicornscan -m U -Ir 75 --show-errors -v

Lets test ...

host #1

sudo unicornscan -m U -Ir 75 -v

adding mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 75
using interface(s) eth0

UDP open domain[ 53] from ttl 50
UDP open netbios-ns[ 137] from ttl 50
UDP open unknown[51468] from ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to> (1 hosts)
[*] Discovered NTP on (NTP v4)
[*] Discovered NetBIOS on (INEEDAFW01:<00>:U :INEEDAFW01:<03>:U :INEEDAFW01:<20>:U :__MSBROWSE__:<01>:G :WORKGROUP:<1d>:U :WORKGROUP:<1e>:G :WORKGROUP:<00>:G :00:00:00:00:00:00)
[*] Discovered DNS on (BIND 9.4.2-P2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU
53/udp open domain
69/udp openfiltered tftp
123/udp open ntp
137/udp open netbios-ns
138/udp openfiltered netbios-dgm

*took approx 13 min for results

Host #2

sudo unicornscan -m U -Ir 75 -v
UDP open sunrpc[ 111] from ttl 50
UDP open shilp[ 2049] from ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to> (1 hosts)
[*] Discovered Portmap on (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(35483), 100024 v1 TCP(34855), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(51021), 100021 v3 UDP(51021), 100021 v4 UDP(51021), 100003 v2 TCP(2049), 100003 v3 TCP(2049), 100003 v4 TCP(2049), 100021 v1 TCP(32771), 100021 v3 TCP(32771), 100021 v4 TCP(32771), 100005 v1 UDP(54730), 100005 v1 TCP(50729), 100005 v2 UDP(54730), 100005 v2 TCP(50729), 100005 v3 UDP(54730), 100005 v3 TCP(50729))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU -v
111/udp open rpcbind
639/udp openfiltered unknown
2049/udp open nfs

*took approx 14 min

Quick notes:
unicornscan sucks for NTP, the metasploit udp_sweep is better even though the port is in the scan list it fails to locate NTP servers

you'll probably want to add some port to the /usr/local/etc/unicornscan/unicorn.conf file in the UDP section, namely 1434,1604,5093,& 523 to be consistent for what metasploit is sending probes for.

you may also want to update the ports list in the above folder to be les stupid as well.

In this case nmap gave consistent results, just took forever

compile stuff from here:


Erwin said...

The fact that version 0.4.7 does not detect the ntp services is because it sends a ntp readlist packet, which many ntp servers do not allow or respond to. Instead a normal ntp time request should be send.

The speed problems are new to me, as Unicorscan is known for its high scanning speed.

As you might now the original author (Jack C. Louis) of Unicornscan was killed in a fire accident in his house almost two years ago. Since I already had contact with both Robert and Jack, about some patches I had written for Unicornscan, Robert asked my if I would integrate those patches and maybe continue development together with some other people. Unfortunately that never realy happened, but I've integrated some patches in SVN, which you can find overhere:

CG said...

im sure the speed is because its been tested in virtual enviroments and the virtual nic probably doesnt like all the traffic, but thats just a WAG.

thanks for alink to the svn, i'll check it out.

even cranked down, its still significantly fatster than nessus

Anonymous said...

.... or you could just use nmap.

kingthorin said...

Ya I'm with Anonymous why would you bother with Unicornscan these days?