Kali Linux
About Lesson

Unicornscan Introduction

Unicornscan is a sophisticated, powerful and stateless port scanner that uses stimulus into and measuring a response from any TCP/IP enabled device (there are billions out there). Although it has hundreds of features, some of its key features include;

  • Asynchronous stateless TCP scanning with each of the TCP flags or flag combinations
  • Banner grabbing for application and OS fingerprinting
  • Asynchronous protocol specific UDP scanning
  • Active and Passive remote OS and application detection
  • PCAP file logging and filtering
  • Relational database output for storing the results of your scans
  • Custom module support so that pentesters can tailor it to their specific needs
  • Customized data set views.

I. Overview Of UnicornScan

One of the key features of unicornscan that sets it apart of nmap and other port scanners is that it has its own TCP/IP stack. The other port scanners all use the underlying host operating system’s TCP/IP stack. This enables unicornscan to scan much more quickly than the others as it can, for instance, send out SYN packets with one thread and receive the responses with another thread. This can make a huge difference when scanning very large networks as a security researcher/ pentester where we might be scanning thousands of IP addresses and be even more important to an attacker who may be scanning millions of addresses looking for a particular open port or vulnerability.

In addition, because it has its own TCP/IP stack, it is capable of sending packets with different OS fingerprints that the operating system of your host. This can be very useful for obscuring your identity, especially combined with IP spoofing.

Unicornscan is built into Kali, so no need to download, unpack and compile new software. Since it is installed in the /usr/bin directory, we can access unicornscan from the command line from any directory.

Let’s get started with unicornscan.

II. Unicornscan Help

Let’s begin by looking at the help file for unicornscan by typing;
kali > unicornscan -h

Since the help screen is so long, I captured it in two screenshots and displayed the second one below.

There is a LOT of information is this help file, so let’s start with some simple scans to demonstrate the power of unicornscan and work up to some more complex examples.

The syntax for a basic unicornscan (default is a TCP SYN) scan is;

kali > unicornscan <host>

Let’s try it against a Windows 7 machine on our network.

kali > unicornscan

This simple syntax will return for us the open TCP ports on the target system, very similar to the nmap -sS scan, but without the default ICMP that nmap uses. As you can see, unicornscan reports back to us that ports 135,139,445 and 554 are open on the target Windows 7 system.

What if we want to scan more than one IP address? Unicornscan has slightly different syntax for scanning multiple hosts than nmap or hping. Each of the hosts must be listed individually without a comma between them, as below.

kali > unicornscan

If we wanted to scan our entire network, we can use CIDR notation such as to scan all 255 IP addresses. Let’s say we wanted to find all the IP that had port 80 open. We simply need to use the :80 notation after the CIDR notation such as;

kali > unicornscan

Here we can see unicornscan scanned the entire Class C network finding all the hosts with port 80 open.

Unicornscan is not limited to our internal network and this is where its speed becomes critical. What if I knew that a particular vulnerability existed on systems that had port 5505 open. I have no idea where these systems were. They could be anywhere in the world, meaning that I would have to scan over 4 billion addresses! I could break the scans down to smaller pieces, say a million at a time. I could use unicornscan to scan one million addresses looking for port 5505 by typing;

kali > unicornscan

III. TCP Scanning

Unicornscan defaults to a TCP scan without sending any ICMP, unlike nmap. By default, it sends a SYN scan. Let’s say we wanted to scan our favorite IT security training site, hackonology.com, looking for ports 80 and 443 and sending 200 packets per second we could write;

kali > unicornscan -r200 -mT hackonology.com:80,443
-r200 ##indicates we want to send 200 packets per second##
-mT  ##indicates we want to scan (m) using the TCP protocol##
hackonology.com:80,443 ##indicates the host and the ports we want to scan##

As you can see, unicornscan only found port 80 open at hackonology.com

IV. UDP Scanning

What if we are looking for UDP ports? Since unicornscan, by default, sends TCP SYN packets, it will not find UDP ports unless we specify a UDP scan, similar to nmap. We can scan for UDP ports by simply replacing the T with a U after the -m, such as;

kali >unicornscan -r300 -mU hackonology.com
-r300      ##indicates we want to scan with 300 packets per second##
-mU        ##indicates we want to scan with the UDP protocol.##

When we scan hackonology.com with a UDP scan, it finds no UDP ports open. This is not unexpected for a web server, but on a typical network you are likely to see many UDP ports open such 53, 161 and others.

V. Saving to a PCAP file

One of the other beauties of the unicornscan is its ability to save the returned packets to a PCAP file format. This enables us then to analyze the response packets at a later time with tools such as Wireshark. So, if we wanted to find hosts with port 5505 open and make it appear to be coming from an openBSD system with the IP address of we could write a command like this;

kali > unicornscan -r500 -w huntfor5505.pcap -W1  -s
-r500  ##indicates we want to scan with 500 packets per second##   
-w huntfor5505.pcap ##indicates we want to write to a file named huntfor5505.pcap## 
-W1  ##indicates we want to packets to sent with the fingerprint of an openBSD system## 
-s  ##indicates we want the packets to be sent with a spoofed IP that follows (

VI. Unicornscan Cheat Sheet

Unicornscan is a powerful scanner with hundreds of features, a few of which we have touched upon here. Probably its greatest advantage over other port scanners are the fact that it has its own TCP/IP stack enabling it to scan faster and spoof other TCP/IP stacks.

For the most common scanning, please find a cheat sheet below to assist you.

SYN                           :    -mT    
ACK scan                      :    -mTsA   
Fin scan                      :    -mTsF  
Null scan                     :    -mTs 
Xmas scan                     :    -mTsFPU 
Connect Scan                  :    -msf -Iv 
Full Xmas scan                :    -mTFSRPAU
scan ports 1 through 5        :   (-mT) host:1-5

To spoof your IP use -s followed by the IP address.

To use another OS fingerprint use the -W switch followed by the numeric value of the OS.

0=Cisco (default)    1=openbsd   2= Windows XP 3= p0fsendsyn 4=FreeBSD   5= nmap

Lab Practice

Lab 1: Scan a host for services & OS(TTL)

In this lab, we scan a host with IP address for open ports. Also by doing so, we get the TTL value of corresponding ports and thereby we can identify the operating system

Command: unicornscan –Iv
Basic Scan

Lab 2: Perform a TCP SYN Scan on a whole network

In this lab, we perform a TCP syn scan on a whole network range of By doing so we have multiple benefits. All the live hosts will be visible to us along with the services/ports open & TTL values.

Stealth syn scan is a method by which packets with syn flags are sent to a port of a target host. If the port is open, the reply from the target will be a packet with SYN/ACK flag else a packet with RST flag. Thus the attacker can identify what all services are running on the target host.

Command : unicornscan -msf -v -I

Lab 3: Perform a UDP scan on the whole network

In this lab, we perform a UDP scan on a whole network range of By doing so we get to know all UDP services running on a network.

Command: unicornscan –mU –v –I
UDP Scan

While performing scans with unicornscan, turn ON Wireshark also to view the packets going out. You can see the pattern which unicornscan sends out. Try it & Share this tutorial.

Hope this article helpful for you. Thank You

If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great