------------------------------------------------------------------------------ FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com ------------------------------------------------------------------------------ FScan is a command-line port scanner. It will scan for both TCP and UDP ports. This is the usage line as reported by typing "FScan", "FScan -h" or "FScan -?" FScan [-abefhqnv?] [-cditz ] [-flo ] [-pu [,-]] IP[,IP-IP] -?/-h - shows this help text -a - append to output file (used in conjunction with -o option) -b - get port banners -c - timeout for connection attempts (ms) -d - delay between scans (ms) -e - resolve IP addresses to hostnames -f - read IPs from file (compatible with output from -o) -i - bind to given local port -l - port list file - enclose name in quotes if it contains spaces -n - no port scanning - only pinging (unless you use -q) -o - output file - enclose name in quotes if it contains spaces -p - TCP port(s) to scan (a comma separated list of ports/ranges) -q - quiet mode, do not ping host before scan -r - randomize port order -t - timeout for pings (ms) -u - UDP port(s) to scan (a comma separated list of ports/ranges) -v - verbose mode -z - maximum simultaneous threads to use for scanning Detailed option descriptions ---------------------------- -?-h Shows the usage of the program as in the above text. -a Appends the program output to the text file given in the "-o" option. -b Attempts to read the responses from the scanned ports and displays the results. If any part of the read text contains non-printable characters these will be shown using their hexadecimal values enclosed in square brackets e.g. [0D][0A]. A maximum of 256 bytes is read. -c This is the connection timeout value for TCP ports and also the timeout value to wait for responses from UDP ports. For TCP scans, if no connection to the current port has been made to the remote host after this amount of time then it is assumed that there is no open port. For UDP scans, if no "ICMP destination port unreachable" message has been received from the remote host after this time has elapsed it is assumed that the port is active. The default value for this setting is 600 ms. This number also represents the time to wait for data to be received when reading responses from the remote host. -d Specifies a delay (in millisecs) between each port scanned. Use this option to perform a "drip" scan so as to help avoid detection by an IDS. -e Resolve IP addresses to hostnames. An attempt will be made to resolve the current IP address into a hostname and the name will be displayed next to the IP address in the output. This option is most useful when performing a ping scan of a range of IPs. It is NOT recommended for port scans since the hostname will be resolved for every port on each IP scanned. -f Reads IP addresses from the given file. You can successfully use the output file from a previous FScan session (if you used the "-o" option) as input for this switch. However, any text file that contains valid IP addresses or address ranges can be used. Essentially it treats each line of the supplied file in the same manner as it would be treated on the command line. -i Binds the TCP ports used for scanning to the given local port number. -l Specifies a port list text file to read ports from. Ports in the file are in lines in the same format as specified on the command line i.e. 79,80-88. If you need to use UDP ports then place a "-u" before the ports on the line e.g. "-u130-140". -n Specifies that no port scanning will take place. If you do not specify the -q (quiet mode) option then using -n will ping each host. If you do use the -q option then no pinging will be done. This is useful if you simply want to create a list of active hosts in a given IP range. Use the -e option if you want to resolve the active hosts into hostnames. -o Specifies a file that the output from the program is sent to. Note that output will also appear on the screen at the same time. If the file already exsists it will be overwritten. If you want to append output to the file without overwriting it then use the "-a" option. -p TCP port numbers to scan. The port numbers can be single numbers separated by commas and/or port ranges separated by the "-" character. For example FScan -p 60,70,80-100 10.1.2.3 would scan TCP ports 60, 70, and 80 through 100 inclusive. No spaces are allowed between any of the numbers or ranges. -q Tells FScan to not attempt to ping the host before scanning. By default FScan will ping each IP to be scanned before trying to port scan it. If no ping response is received the IP address will be skipped. Using "-q" forces the program to scan the IP address without even attempting to ping it. -r Use this to randomize the order that the ports will be scanned in. Normally FScan will scan the provided ports in the order that they are given on the command line. By using the "-r" option the port numbers will be "shuffled" into a random ordering, guaranteeing that no two ports numbers are in ascending numerical sequence. This can help to some extent in avoiding detection by intrusion detection systems. -t Specifies the maximum time that the program waits for a response from a ping. If no ping reply is received after this amount of the time the remote host will be regarded as "dead" and won't be scanned. The default value for this setting is 500 ms. -u UDP port numbers to scan. The port numbers can be single numbers separated by commas and/or port ranges separated by the "-" character. For example FScan -u 68,69,130-140 10.1.2.3 would scan UDP ports 68, 69 and 130 through 140 inclusive. No spaces are allowed between any of the numbers or ranges. Due to the nature of detecting open UDP ports, UDP scanning can be prone to inaccuracies and is also much slower than TCP port scanning. You should play around with the "-c" connection timeout value until you receive satisfactory results. -v Verbose mode. Additional information will be shown if you set the program to verbose mode. -z FScan is a multi-threaded program. Each ping/scan/read combination is run in a separate thread to maximize efficiency. Some systems are capable of running many simultaneous threads with no problems. However, some OS's such as Windows 95/98 experience stability problems if you push the number of threads too high. Default values for this option are 64 threads for NT system and 20 for Win 9x. It is not recommended you use much more than the default setting for Win 9x but NT may benefit from a higher number. The maximum number you can use is 256. IP address and hostnames ------------------------ Any item on the command line that is not associated with a "-" character is assumed to be an IP address or hostname. The addresses can be single numbers separated by commas and/or IP ranges separated by the "-" character. For example FScan -p 80 10.1.2.3,10.1.2.4,10.1.2.5-10.1.2.20 would scan TCP port 80 on the machines 10.1.2.3, 10.1.2.4 and 10.1.2.5 through 10.1.2.20 inclusive. No spaces are allowed between any of the numbers or ranges. To make life easier you can also specify ranges in a number of ways :- 10.1.2.2-254 would add all IPs from 10.1.2.2 to 10.1.2.254 inclusive. 10.1.2.2-3.254 would add all IPs from 10.1.2.2 to 10.1.3.254 inclusive. Hostnames can be used in place of IP address, although obviously they do not make sense as part of an address range e.g. FScan -p 2-200 www.microsoft.com All IP addresses that end in .0 or .255 will be ignored by FScan. ------------------------------------------------------------------------------ To best illustrate the use of FScan here are a series of examples. Example #1: Scan machine at 10.0.2.2 for all TCP ports from 1 to 200. FScan -p 1-200 10.0.2.2 ------------------- Example #2: Scan machines from 10.0.2.2 to 10.0.2.254 for all TCP ports in the range 1 to 65535 sending the output to the file "out.txt" FScan -p 1-65535 10.0.2.2-254 -o out.txt ------------------- Example #3: Scan machines from 10.0.2.2 to 10.0.2.20 for TCP ports 80, 81, 88, 8000 and 8080 and UDP ports 31337 without pinging and append the output to the file "out.txt" FScan -aqp 80,81,88,8000,8080 -u 31337 10.0.2.2-20 -o out.txt Notice the use of the combined options "aq" before the "p". This is perfectly legitimate. ------------------- Example #4: Scan machines 10.0.2.2 to 10.0.2.254 for TCP ports 21 and 25 and show the banner responses. Include extra output information. FScan -vbp 21,25 10.0.2.2-254 ------------------- Example #5: Scan machines 10.0.2.1 to 10.0.2.254 for TCP ports 1 to 65535, showing the banner responses and with a delay of 20 seconds between each port scan. Include extra output information. FScan -vbp 1-65535 10.0.2.1-254 -d 20000 ------------------- Example #6: Scan machines 10.0.2.1 to 10.0.2.254 with no port scanning, only pinging. Resolve the IPs into hostnames. FScan -ne 10.0.2.1-254 ------------------- Example #7: Scan machines 10.0.2.1 to 10.0.2.254 with no port scanning or pinging. Resolve the IPs into hostnames. FScan -qne 10.0.2.1-254 ============================================================================== FOUNDSTONE, INC. Terms of Use 1. Acceptance of Terms 1.1. Read these Foundstone, Inc. ("Foundstone") Terms of Use ("Terms") carefully before you ("You") accept these Terms by: (a) selecting the "Accept" button at the end of the Terms, or (b) downloading any of the Foundstone tools ("Tools") located on this web site. If You do not agree to all of these Terms, select the "Decline" button at the end of the Terms, or do not download any of the Tools. 1.2. The Terms are entered into by and between Foundstone and You. Foundstone provides the Tools to You strictly subject to the Terms. 2. Permitted Use 2.1. The Tools are freeware that You may download them for Your personal, non-commercial use only. 2.2. You may not modify, reverse engineer, make derivative works of, distribute, transmit or sell any of the Tools without the express written consent of Foundstone. 2.3. The Tools may not be used by You or any other party for any purpose that violates any local, state, federal or foreign law. You understand that breaking into any network or computer system not owned by You may be illegal. 3. No Express or Implied Warranty 3.1. THE TOOLS ARE PROVIDED TO YOU "AS IS." FOUNDSTONE MAKES NO WARRANTIES OR REPRESENTATIONS, EXPRESS OR IMPLIED, ABOUT THE EFFECTIVENESS, COMPLETENESS OR FITNESS OF THE TOOLS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 4. Limitation of Liability 4.1. YOU AGREE THAT FOUNDSTONE WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF YOUR USE OF, OR INABILITY TO USE, THE TOOLS, INCLUDING WITHOUT LIMITATION ANY DAMAGE TO, OR VIRUSES OR "TROJAN HORSES" THAT MAY INFECT OR INVADE, YOUR COMPUTER EQUIPMENT OR OTHER PROPERTY, EVEN IF FOUNDSTONE IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 4.2. YOU AGREE TO HOLD FOUNDSTONE HARMLESS FROM, AND YOU COVENANT NOT TO SUE FOUNDSTONE FOR, ANY CLAIMS BASED OR YOUR USE OF, OR YOUR INABILITY TO USE, THE TOOLS. 5. Indemnification 5.1. You agree to indemnify and hold Foundstone and its subsidiaries, affiliates, officers, agents, and employees harmless from any claim or demand, including attorney's fees, made by any third party due to or arising out of Your use of the Tools, breach of the Terms, or violation of the rights of another. 6. Intellectual Property Rights 6.1. The Tools and all names, marks, brands, logos, designs, trade dress and other designations Foundstone uses in connection with the Tools are proprietary to Foundstone and are protected by applicable intellectual property laws, including, but not limited to copyrights and trademarks. Accordingly, You may not modify, reverse engineer, make derivative works of, distribute, transmit or sell any of the Tools, nor may You remove or alter any of Foundstone's trademarks from the Tools or co-brand any of the Tools, without the express written consent of Foundstone. 7. Miscellaneous 7.1. California law and controlling United States federal law govern any action related to the Terms. No choice of law rules of any jurisdiction apply. You and Foundstone agree to submit to the personal and exclusive jurisdiction of the California state court located in Santa Ana, California and the United States District Court for the Central District of California. 7.2. The Terms constitute the entire agreement between You and Foundstone and govern Your use of the Tools, superseding any prior agreements between You and Foundstone (including, but not limited to, prior versions of the Terms). 7.3. Foundstone controls and operates this website from various locations in the United States of America and makes no representation that these Tools are appropriate or available for use in other locations. If you use this website from locations outside the United States of America, You are responsible for compliance with applicable local laws, including, but not limited to, the export and import regulations of other countries. 7.4. These Terms and this website could include inaccuracies or typographical errors. Foundstone may make improvements and/or changes to the Terms or the website at any time without notice. 7.5. The failure of Foundstone to enforce or exercise any right or provision of the Terms does not constitute a waiver of such right or provision. 7.6. In the event any provision of this Agreement is held to be unenforceable in any respect, such unenforceability shall not affect any other provision of this Agreement, provided that the expected economic benefits of this Agreement are not denied to either party.