Detailed option
descriptions
----------------------------
-?-h
Shows
the usage of the program as in the above
text.
-a
Appends the program output to the text file
given in the "-o" option.
-b
Attempts to read the
responses from the scanned ports and displays the results. If
any part of the read text contains non-printable characters
these will be shown using their hexadecimal values enclosed in
square brackets e.g. [0D][0A]. A maximum of 256 bytes is
read.
-c
This is the connection timeout value for
TCP ports and also the timeout value to wait for responses
from UDP ports. For TCP scans, if no connection to the current
port has been made to the remote host after this amount of
time then it is assumed that there is no open port. For UDP
scans, if no "ICMP destination port unreachable" message has
been received from the remote host after this time has elapsed
it is assumed that the port is active. The default value for
this setting is 600 ms.
This number also represents the
time to wait for data to be received when reading responses
from the remote host.
-d
Specifies a delay (in
millisecs) between each port scanned. Use this option to
perform a "drip" scan so as to help avoid detection by an
IDS.
-e
Resolve IP addresses to hostnames. An
attempt will be made to resolve the current IP address into a
hostname and the name will be displayed next to the IP address
in the output. This option is most useful when performing a
ping scan of a range of IPs. It is NOT recommended for port
scans since the hostname will be resolved for every port on
each IP scanned.
-f
Reads IP addresses from the
given file. You can successfully use the output file from a
previous FScan session (if you used the "-o" option) as input
for this switch. However, any text file that contains valid IP
addresses or address ranges can be used. Essentially it treats
each line of the supplied file in the same manner as it would
be treated on the command line.
-i
Binds the TCP
ports used for scanning to the given local port
number.
-l
Specifies a port list text file to read
ports from. Ports in the file are in lines in the same format
as specified on the command line i.e. 79,80-88. If you need to
use UDP ports then place a "-u" before the ports on the line
e.g. "-u130-140".
-n
Specifies that no port scanning
will take place. If you do not specify the -q (quiet mode)
option then using -n will ping each host. If you do use the -q
option then no pinging will be done. This is useful if you
simply want to create a list of active hosts in a given IP
range. Use the -e option if you want to resolve the active
hosts into hostnames.
-o
Specifies a file that the
output from the program is sent to. Note that output will also
appear on the screen at the same time. If the file already
exsists it will be overwritten. If you want to append output
to the file without overwriting it then use the "-a"
option.
-p
TCP port numbers to scan. The port
numbers can be single numbers separated by commas and/or port
ranges separated by the "-" character. For
example
FScan -p 60,70,80-100 10.1.2.3
would scan TCP ports 60, 70, and 80 through 100 inclusive.
No spaces are allowed between any of the numbers or
ranges.
-q
Tells FScan to not attempt to ping the
host before scanning. By default FScan will ping each IP to be
scanned before trying to port scan it. If no ping response is
received the IP address will be skipped. Using "-q" forces the
program to scan the IP address without even attempting to ping
it.
-r
Use this to randomize the order that the
ports will be scanned in. Normally FScan will scan the
provided ports in the order that they are given on the command
line. By using the "-r" option the port numbers will be
"shuffled" into a random ordering, guaranteeing that no two
ports numbers are in ascending numerical sequence. This can
help to some extent in avoiding detection by intrusion
detection systems.
-t
Specifies the maximum time
that the program waits for a response from a ping. If no ping
reply is received after this amount of the time the remote
host will be regarded as "dead" and won't be scanned. The
default value for this setting is 500 ms.
-u
UDP
port numbers to scan. The port numbers can be single numbers
separated by commas and/or port ranges separated by the "-"
character. For example
FScan -u
68,69,130-140 10.1.2.3
would scan UDP ports 68, 69 and 130
through 140 inclusive. No spaces are allowed between any of
the numbers or ranges.
Due to the nature of detecting open
UDP ports, UDP scanning can be prone to inaccuracies and is
also much slower than TCP port scanning. You should play
around with the "-c" connection timeout value until you
receive satisfactory results.
-v
Verbose mode.
Additional information will be shown if you set the program to
verbose mode.
-z
FScan is a multi-threaded program.
Each ping/scan/read combination is run in a separate thread to
maximize efficiency. Some systems are capable of running many
simultaneous threads with no problems. However, some OS's such
as Windows 95/98 experience stability problems if you push the
number of threads too high. Default values for this option are
64 threads for NT system and 20 for Win 9x. It is not
recommended you use much more than the default setting for Win
9x but NT may benefit from a higher number. The maximum number
you can use is 256.
IP address and hostnames
------------------------
Any
item on the command line that is not associated with a "-"
character is assumed to be an IP address or hostname. The
addresses can be single numbers separated by commas and/or IP
ranges separated by the "-" character. For
example
FScan -p 80
10.1.2.3,10.1.2.4,10.1.2.5-10.1.2.20
would scan TCP port
80 on the machines 10.1.2.3, 10.1.2.4 and 10.1.2.5 through
10.1.2.20 inclusive. No spaces are allowed between any of the
numbers or ranges.
To make life easier you can also
specify ranges in a number of ways
:-
10.1.2.2-254
would add all IPs from 10.1.2.2 to
10.1.2.254 inclusive.
10.1.2.2-3.254
would add all
IPs from 10.1.2.2 to 10.1.3.254 inclusive.
Hostnames
can be used in place of IP address, although obviously they do
not make sense as part of an address range e.g.
FScan
-p 2-200 www.microsoft.com
All IP addresses that end in
.0 or .255 will be ignored by FScan.
------------------------------------------------------------------------------
To
best illustrate the use of FScan here are a series of
examples.
Example #1:
Scan machine at 10.0.2.2 for all TCP ports
from 1 to 200.
FScan -p 1-200
10.0.2.2
-------------------
Example #2:
Scan
machines from 10.0.2.2 to 10.0.2.254 for all TCP ports in the
range 1 to 65535 sending the output to the file
"out.txt"
FScan -p 1-65535 10.0.2.2-254 -o
out.txt
-------------------
Example #3:
Scan
machines from 10.0.2.2 to 10.0.2.20 for TCP ports 80, 81, 88,
8000 and 8080 and UDP ports 31337 without pinging and append
the output to the file "out.txt"
FScan -aqp
80,81,88,8000,8080 -u 31337 10.0.2.2-20 -o
out.txt
Notice the use of the combined options "aq"
before the "p". This is perfectly
legitimate.
-------------------
Example #4:
Scan
machines 10.0.2.2 to 10.0.2.254 for TCP ports 21 and 25 and
show the banner responses. Include extra output
information.
FScan -vbp 21,25
10.0.2.2-254
-------------------
Example #5:
Scan
machines 10.0.2.1 to 10.0.2.254 for TCP ports 1 to 65535,
showing the banner responses and with a delay of 20 seconds
between each port scan. Include extra output
information.
FScan -vbp 1-65535 10.0.2.1-254 -d
20000
-------------------
Example #6:
Scan
machines 10.0.2.1 to 10.0.2.254 with no port scanning, only
pinging.
Resolve the IPs into hostnames.
FScan -ne
10.0.2.1-254
-------------------
Example #7:
Scan
machines 10.0.2.1 to 10.0.2.254 with no port scanning or
pinging.
Resolve the IPs into hostnames.
FScan -qne
10.0.2.1-254
=======================================================
