đź“Ś Purpose
Learn how to use Unicornscan — a high-performance asynchronous port scanner — for advanced network reconnaissance, stealth scans, and OS fingerprinting. Includes real command outputs, PCAP logging, and a full lab scenario.
🚀 Introduction
When you need blazing-fast port scans, TTL-based OS detection, or stealthy TCP/UDP reconnaissance, Unicornscan shines. Included in Kali Linux, this powerful tool delivers performance Nmap sometimes can’t match on large-scale or noisy networks.
In this guide, we’ll cover:
- âś… How Unicornscan works
- âś… Real usage examples with output
- âś… A practical scenario with analysis
🔧 Installation & Setup
Unicornscan is preinstalled in Kali Linux. But to verify or reinstall:
sudo apt update
sudo apt install unicornscan -y
unicornscan --version
To view all options:
unicornscan -h
🧪 Scan Syntax & Modes
Basic Format:
unicornscan [options] <target[:ports]>
| Option | Description |
|---|---|
-mT |
TCP scan |
-mU |
UDP scan |
-r <rate> |
Packets/sec (stealth/speed tuning) |
-I |
Immediate display (streamed output) |
-v |
Verbose |
-eosdetect |
TTL-based OS detection |
-w |
Save responses to PCAP |
⚡ Common Scan Examples (with Output)
🔹 1. Basic TCP SYN Scan
sudo unicornscan 172.16.215.132
đź“Ą Output:
TCP open http[ 80] from 172.16.215.132 ttl 128
TCP open epmap[ 135] from 172.16.215.132 ttl 128
TCP open netbios-ssn[ 139] from 172.16.215.132 ttl 128
TCP open microsoft-ds[ 445] from 172.16.215.132 ttl 128
🧠Insight: Host is running Windows services like NetBIOS and SMB.
🔹 2. UDP Port Check
sudo unicornscan -mU -r200 -I 192.168.100.1:53
đź“Ą Output:
UDP open domain[ 53] from 192.168.100.1 ttl 128
🧠Insight: DNS service active on UDP port 53.
🔹 3. Multi-Port Subnet Scan
sudo unicornscan -r500 -mT 192.168.100.1/24:80,443,445,339
đź“Ą Output (sample):
TCP open http[ 80] from 192.168.100.5 ttl 64
TCP open microsoft-ds[ 445] from 192.168.100.5 ttl 128
🧠Insight: Host is dual-serving HTTP and SMB.
🔹 4. TCP + OS Detection + Logging
sudo unicornscan -r200 -Iv -eosdetect -mT 172.16.215.1:3306,80,443
đź“Ą Output:
TCP open 172.16.215.1:80 ttl 64
TCP open 172.16.215.1:3306 ttl 64
OS `Linux'
🧠Insight: Detected MySQL and web server; TTL suggests a Linux host.
🧑‍💻 Real-World Scenario: Internal Reconnaissance
🎯 Goal
Identify web, SSH, and MySQL services in 192.168.50.0/24, store logs for analysis, and detect operating systems.
🧵 Command
sudo unicornscan -r300 -Iv -eosdetect -mT 192.168.50.0/24:22,80,443,3306 -w scan_results.pcap
-r300→ Control scan speed-eosdetect→ TTL-based OS guessing-w→ Save PCAP for Wireshark
đź“Ą Sample Output:
TCP open 192.168.50.10:22 ttl 64 OS `Linux'
TCP open 192.168.50.10:80 ttl 64 OS `Linux'
TCP open 192.168.50.15:443 ttl 128 OS `Windows'
TCP open 192.168.50.20:3306 ttl 64 OS `Linux'
🧠Analysis Table
| IP | Ports | OS Guess |
|---|---|---|
| 192.168.50.10 | 22, 80 | Linux |
| 192.168.50.15 | 443 | Windows |
| 192.168.50.20 | 3306 | Linux |
đź“Š Use:
wireshark scan_results.pcap
To verify TTL, TCP flags, and handshake behavior.
🧠Pro Tips
- Use lower
-rvalues on sensitive networks to avoid IDS detection. - Combine with
-mTsFPUfor Xmas-style stealthy probes. - Always log scans using
-wfor offline analysis. - Compare results with Nmap or Masscan for confirmation.
🧰 Final Cheat Sheet
| Use Case | Command |
|---|---|
| Basic SYN Scan | unicornscan 10.0.0.5 |
| UDP Service Detection | unicornscan -mU -r200 -I 10.0.0.5:53 |
| Subnet Multi-Port Scan | unicornscan -r500 -mT 10.0.0.0/24:80,443 |
| OS Detection + Logging | unicornscan -eosdetect -mT -w file.pcap target:ports |
🧩 Conclusion
Unicornscan is a powerful asset in your recon toolkit. While Nmap offers versatility, Unicornscan excels when speed, stealth, and TTL-based OS fingerprinting matter.
✍️ By Rajkumar Kumawat 🔗 GitHub Blog | Medium