TCP Half-open port scanner \/ fast ICMP scanner. Some limited support for UDP scans too. It’s beta, but still kinda useful.<\/p>\n
Download Yapscan v0.7.4-beta as tar.gz<\/a>. Recent changes are detailed in the CHANGELOG.<\/a><\/p>\n Update: You’re better off using the SVN copy on google code<\/a>. \u00a0It’s more up to date.<\/p>\n MD5 and SHA1 checksums are the packages can be downloaded.\u00a0 They’re based on the package name (below v.v.v represents the version, e.g. 0.6.1): User documentation is also available in PDF<\/a> format.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n Yapscan is primarily a half-open TCP port scanner and ICMP scanner. It has a few other uses too. These are explained more fully in the “Features” section below.<\/p>\n This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.<\/p>\n In all other respects the GPL version 2 applies:<\/p>\n If you have a Linux system, with any luck the installation will just work. Other systems are not supported at this time.<\/p>\n Firstly, go and download the latest tarball of yapscan from http:\/\/pentestmonkey.net if you haven’t already.<\/p>\n Yapscan should install on most flavours of Linux. I’ve tried it on Gentoo using gcc v3.3.x, 3.4.x and 4.1.x (both x86 and AMD64) and Debian “Testing” using gcc-4.1.2. I think I’ve ironed out any bugs which stop compilation. That said, you’re reading this section, so I guess something went wrong…<\/p>\n Any installation problems will be results of either missing header files, missing libraries or my dodgy code. Whatever the cause I’d like to make sure that this section covers the problem (or that I fix any dodgy code). If you run into problems and the notes below don’t help, please email me at the address on the first page.<\/p>\n Yapscan depends on libpcap to capture reply packets, so firstly make sure you’ve installed it. On Gentoo the package is called “libpcap” on Debian it’s “libpcap-dev”(the version that includes the header files).<\/p>\n Linking against OpenSSL is also recommended because it speeds up scanning. Installation is still possible if you can’t install OpenSSL – there’s a workaround below. The OpenSSL package on Gentoo is called “openssl”, on Debian it’s “openssl-dev”.<\/p>\n If installing these dependencies doesn’t solve your problem, mail me and I’ll try to help.<\/p>\n Open up “Makefile” in you favourite text editor and change this bit:<\/p>\n to:<\/p>\n The try to compile again:<\/p>\n Also known as half-open scanning.<\/p>\n On an internal network you probably just want to see the open ports. Here are some example of how to specify hosts and ports:<\/p>\n From an external network, you might also want to see the closed ports (-c):<\/p>\n You can scan just the common ports (using a portlist derived from nmap):<\/p>\n (supported keywords are based on filenames what ship with yapscan. As of v0.5.5-beta there is: all, known, common, database)<\/p>\n Note that we needed to specify the different interface to listen for replies on (default is eth0).<\/p>\n Specify ports using names as well as numbers (from \/etc\/services):<\/p>\n Or specify your own port list (1 port per line):<\/p>\n You can do “-p -” like in nmap too if you want to scan 1-65535:<\/p>\n I’ve also implemented the exotic type of scans like Xmas tree, null, etc. These aren’t particularly well tested as of v0.5.5-beta. See the help message for more info: yapscan -h<\/p>\n Also see “Scanning Speed” and “Retries” near the end of this section. In particular, make sure you specify a low speed for remote testing (e.g. -b 32k).<\/p>\n This scan mode is designed to answer the question “Does host X have any closed UDP ports?” i.e. does it reply with an ICMP Port Unreachable for probes sent to one or more of its UDP ports.<\/p>\n This type of scan will (unfortunately) not tell you all the open UDP ports.<\/p>\n I use this mainly for scanning Firewalled hosts which I’m pretty sure won’t have any closed UDP ports.<\/p>\n Yapscan sends empty UDP packets to a range of ports at a steady (usually quite fast) rate. It will report any ICMP port unreachable messages it receives.<\/p>\n If you receive no replies then you know there are no closed UDP ports.<\/p>\n IMPORTANT NOTE:<\/strong> If you receive 1 or more ICMP port unreachable error messages, you cannot infer that these are the only close ports. Yapscan does not back-off intelligently like nmap, so a host which limits that rate at which it sends ICMP errors, will (falsely) appear to have less ports open.<\/p>\n Yapscan can perform the following type of ICMP sweeps:<\/p>\n You can perform 1 or more types of scan at once:<\/p>\n The last example will scan all supported ICMP types.<\/p>\n As of v0.5.5-beta yapscan is also able to send Router Solicitations, but it won’t report replies, so this 5th type isn’t much use at present.<\/p>\n Yapscan scans at a steady (and configurable) speed. You can get an ETA on you scan by pressing Enter during the scan.<\/p>\n As of v0.4.9-beta yapscan will never underestimate the remaining scan time, though it can over estimate it under certain conditions.<\/p>\n By default yapscan scans at 1000000 Bits \/ Second. Unless you have a fast link \/ understanding clients or both I suggest you only use the default for LAN testing. I wouldn’t recommend going much about 2Mb\/s for reliability \/ DoS reasons, but you can try it if you like:<\/p>\n WAN testing’s probably better done at a more sociable speed like 64Kb\/s:<\/p>\n Obviously, if the scan rate is set higher than either your upstream bandwidth or the client’s downstream bandwidth, packets will be dropped and the reliability of the scan reduced.<\/p>\n Reliability is obviously paramount during pentests, so the use of retries is encouraged. ICMP scans do 2 retries by default (a total of 3 tries in all). TCP and UDP only do 1.<\/p>\n For an even more reliable ICMP scan you could do:<\/p>\n A TCP scan would be made more reliable by:<\/p>\n The first thing you see when you run yapscan is the “Scan Information” section. This section summarises the parameters for the scan. I included this basically so that when I looked back over my scan results I had some idea of what I’d scanned.<\/p>\n The output looks slightly different for the various scan types.<\/p>\n The start and end times are included to provide a record of when the scan was done.<\/p>\n Below is the output of a fictional TCP SYN scan run with the -c option to show closed ports as well as open ones (so I can illustrate some fields not always shown in the output).<\/p>\n We’ll use the first reply to quickly cover most of the generic fields, then we’ll look at some of the interesting ones.<\/p>\n
\nhttp:\/\/pentestmonkey.net\/tools\/yapscan\/yapscan-v.v.v-beta.tar.gz.md5
\nhttp:\/\/pentestmonkey.net\/tools\/yapscan\/yapscan-v.v.v-beta.tar.gz.sha1<\/p>\nYapscan User Documentation<\/h1>\n
<\/a> Contents<\/h2>\n
\n
\n
\n
\n
\n
<\/a>Overview<\/h1>\n
<\/a>License<\/h1>\n
This program is free software; you can redistribute it and\/or modify\r\n it under the terms of the GNU General Public License version 2 as\r\n published by the Free Software Foundation. \r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details. \r\n\r\n You should have received a copy of the GNU General Public License along\r\n with this program; if not, write to the Free Software Foundation, Inc.,\r\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.<\/pre>\n
<\/a>Installation<\/h1>\n
<\/a> Quick Start<\/h2>\n
su -\r\n cd \/usr\/local\/src\r\n tar xfz yapscan-X.Y.tar.gz\r\n cd yapscan-X.Y\r\n make\r\n make install<\/pre>\n
<\/a> Trouble Shooting<\/h2>\n
<\/a> Workaround For Missing OpenSSL Libraries<\/h2>\n
# OpenSSL's MD5 library speeds up scanning. If you have openssl installed, do this:\r\n DEFINES=-DHAVE_LIBCRYPTO ${DEBUGDEFINES}\r\n LDLIBS=-lpcap -lcrypto \r\n\r\n # Otherwise do this:\r\n # DEFINES=${DEBUGDEFINES}\r\n # LDLIBS=-lpcap<\/pre>\n # OpenSSL's MD5 library speeds up scanning. If you have openssl installed, do this:\r\n # DEFINES=-DHAVE_LIBCRYPTO ${DEBUGDEFINES}\r\n # LDLIBS=-lpcap -lcrypto \r\n\r\n # Otherwise do this:\r\n DEFINES=${DEBUGDEFINES}\r\n LDLIBS=-lpcap<\/pre>\n make clean\r\n make\r\n make install<\/pre>\n
<\/a>Features<\/h1>\n
<\/a> TCP SYN Scanning<\/h2>\n
# yapscan -sS 192.168.0.1-254 -p 1-1024\r\n # yapscan -sS 10.0.0.1-10.0.255.255 -p 21,22,23,53,80,139,445,3389\r\n # yapscan -sS 172.16.0.0\/16 -p 80\r\n # yapscan -sS -f targets-ips.txt -p 4444<\/pre>\n
# yapscan -sS www.example.com -p 1-65535 -c<\/pre>\n
# yapscan -sS 127.0.0.1 -i lo -P common<\/pre>\n
# yapscan -sS router -i eth1 -p telnet,80,443,ssh,6000-6063<\/pre>\n
# yapscan -sS -f mytargets.txt -P myports.txt<\/pre>\n
# yapscan -sS -f mytargets.txt -p -<\/pre>\n
<\/a> (Limited) UDP Port Scanning<\/h2>\n
# yapscan -su router -i eth1 -p 1-65535<\/pre>\n
<\/a> ICMP Scanning<\/h2>\n
\n
# yapscan -sI 10.0.0.0\/16 -t echo\r\n # yapscan -sI 10.0.0.0\/16 -t echo -t addr\r\n # yapscan -sI 10.0.0.0\/16 -t info\r\n # yapscan -sI 10.0.0.0\/16 -t time\r\n # yapscan -sI 10.0.0.0\/16 -t -<\/pre>\n
<\/a> Scanning Speed<\/h2>\n
# yapscan -sS -p - 192.168.0.1-14 -b 4M<\/pre>\n
# yapscan -sS -p - www.example.com -b 64k<\/pre>\n
<\/a> Retries<\/h2>\n
# yapscan -sI -r 5 myhost -t -<\/pre>\n
# yapscan -sS -r 2 myhost -p -<\/pre>\n
<\/a>Yapscan Output<\/h1>\n
<\/a> Scan Information<\/h2>\n
----------------------------------------------------------\r\n | Scan Information |\r\n ----------------------------------------------------------\r\n Target count: ...... 1\r\n Interface: ......... lo\r\n Bandwidth limit: ... 1000000 bits\/sec\r\n Source address: .... 127.0.0.1\r\n RTT: ............... 0.950000 secs\r\n Tries: ............. 3\r\n ICMP Probe Types: .. 8 (ECHO_REQUEST)<\/pre>\n
<\/a> Scan Start and End Times<\/h2>\n
######## Scan started at 2006-10-22 20:37:26 +0000 #########\r\n ...\r\n ####### Scan completed at 2006-10-22 20:37:27 +0000 #########<\/pre>\n
<\/a> TCP Scanning<\/h2>\n
10.0.1.1:25 smtp Len=46 TTL=19 IPID=0 FLAGS=_AR_____ SEQ=0x00000000 ACK=0x4e5d5003 WIN=0 DATA=\"rctcpoy\"\r\n 10.0.2.2:80 http Len=46 TTL=21 IPID=0 FLAGS=_AR_____ SEQ=0x00000000 ACK=0x0b712500 WIN=0 DATA=\"rctcpo\"\r\n 10.0.3.3:53 domain Len=44 TTL=64 IPID=0 FLAGS=SA______ SEQ=0xd1183250 ACK=0x17f67482 WIN=32792\r\n 10.0.4.4:1999 tcp-id-port Len=40 TTL=59 IPID=43634 FLAGS=_AR____C SEQ=0x00000000\r\n ACK=0x28f45290 WIN=0\r\n 10.0.5.5:1999 tcp-id-port Len=45 TTL=244 IPID=22340 FLAGS=_AR_____ SEQ=0x00000000\r\n ACK=0xab7e84c2 WIN=0 DATA=\"cisco\"<\/pre>\n