Scan network 192.168.0.0/24 for SSH daemons on port 22
June 16, 2020 ยท View on GitHub
pnscan - a Parallel Network Scanner
Copyright (c) 2002-2020 Peter Eriksson pen@lysator.liu.se
INTRODUCTION
Pnscan is a tool that can be used to survey IPv4 TCP network services. IPv6 is currently not supported.
For example, it can be used to survey the installed versions of SSH, FTP, SMTP, Web, IDENT and possibly other services.
The latest version of pnscan can be downloaded from:
https://github.com/ptrrkssn/pnscan
There is also a small web page about it at:
http://www.lysator.liu.se/~pen/pnscan
If you like it then I'd gladly accept a nice bottle of whisky, some free beer or even just a "Thank you!" email :-)
INSTALLATION
Run "./configure && make" to configure & build. "make install" will install.
FreeBSD 11.3 & 12.0 Ubuntu 20 CentOS 6 & 8 OmniOS r151034 Solaris 10 (requires a GCC that understands -pthread, v5 works)
When it has been built you can install it with "make install-all". It will by default install in /usr/local/bin and /usr/local/man/man1
(Solaris 10 - Sun Studio 12.4 can be used to compile if you edit Makefile.in and change -pthread to -thread and remove -Wall before running ./configure)
There is support for various package systems (FreeBSD ports, Linux RPM, MacOS HomeBrew, Solaris "svr" packages and OmniOS Extra IPS) in the "pkgs" subdirectory. See the pkgs/Makefile for details.
USAGE
Start pnscan with "-h" for online help.
pnscan tries to be smart as to how many threads to start - it will dynamically start only as many as is needed to make progress in the scan - up to a maximum either as specified with the "-n" command line option, or 8 minus the maximum number of available file descriptors (pnscan tries to increase it to the max limit automatically) - or any internal limit on the system.
Host ranges can be specified both as a CIDR - network name or IP address / mask bit length and as a range. When using CIDR notation - the first and last address is ignored (normally used for broadcasts)
Some examples: 192.168.0.0/24 192.160.0.1:192.160.0.254 arpanet/8
The CIDR names are looked up in "networks" (/etc/networks or the YP/NIS+/whatever equivalent).
The host ranges can also be specified as a range (or a single address) of hostnames or IP addresses:
some.where.com:otherplace.where.com
192.168.10.27:192.168.11.194
localhost
Service/Port ranges can be specified both via symbolic names looked up in "services" (/etc/services or YP/NIS+/whatever equivalent) or as numbers:
ssh:telnet
22:23
113
The strings used with "-w" and "-r" may contain escaped characters. NUL characters are legal (\0) to use.
pnscan by default will start printing the output from the first line recevied - or from the start of a match with "-r" (or from the first line of the first match if used with the "-l" option).
EXAMPLES
Scan network 192.168.0.0/24 for SSH daemons on port 22
pnscan 192.168.0.0/24 22 pnscan 192.168.0.1:192.168.0.254 ssh
Scan hosts 192.168.10.34 ... 98 for IDENT servers, max 8 threads
pnscan -n8 -w"VERSION" 192.168.10.34:192.168.10.98 113
Scan host 127.0.0.1 for WWW servers on all ports
pnscan -w"HEAD / HTTP/1.0\r\n\r\n" -r"Server:" 192.168.0.32 1:65525 pnscan -w"HEAD / HTTP/1.0\r\n\r\n" -r"Server:" localhost 1:65525
Send binary data and expect the binary sequence FF 00 FF on port 145.
pnscan -W"05 5A 37" -R"FF 00 FF" 192.168.0.32 145
Scan for Roxen servers and print the whole Server-line
pnscan -l -w"HEAD / HTTP/1.0\r\n\r\n" -r"Roxen" localhost 1:65525
Scan for pidentd servers and try to locate the version
pnscan -w"VERSION" 192.160.0.0/24 113
Scan network arpanet/24 for daytime servers and sort them IP-numerically
pnscan arpanet/10 daytime | ipsort
Read host (&port) lines from stdin and scan the selected hosts for SSH
echo '192.160.10.11 ssh' | pnscan -v echo '192.160.10.12' | pnscan 22
WARNING
Scanning of networks of which you do not have explicit permission to do probably will be considered abuse of network resources and may cause problems for you. So please use this tool with great care.