Unicorn scan

✨ deeznutz

✨ Master ✨
Staff member
May 15, 2017
Unicornscan is an asynchronous network stimulus delivery/response recording tool. Meaning it sends out broken/unorganized/fragmented packets (without a regular pattern unlike other port scanning tools) to a host and waits for the target’s response.

After getting the response the TTL value is calculated for each port and thereby identifying the operating system. For eg, if the ttl=128, the operating system is Windows and so on.

Pentesters use this tool when regular port scanning doesn’t work as the target might have enabled port scanning detection or has enabled IDS/IPS or honeypots. One cool feature of unicornscan is that it uses different threads to send out packets & to receive them, unlike other port scanners.

Lab 1: Scan a host for services & OS(TTL)

In this lab, we scan a host with IP address for open ports. Also by doing so, we get the TTL value of corresponding ports and thereby we can identify the operating system

Command: unicornscan –Iv

Lab 2: Perform a TCP SYN Scan on a whole network

In this lab, we perform a TCP syn scan on a whole network range of By doing so we have multiple benefits. All the live hosts will be visible to us along with the services/ports open & TTL values.

Stealth syn scan is a method by which packets with syn flags are sent to a port of a target host. If the port is open, the reply from the target will be a packet with SYN/ACK flag else a packet with RST flag. Thus the attacker can identify what all services are running on the target host.

Command : unicornscan -msf -v -I

Lab 3: Perform a UDP scan on the whole network

In this lab, we perform a UDP scan on a whole network range of By doing so we get to know all UDP services running on a network.

Command: unicornscan –mU –v –I

While performing scans with unicornscan, turn ON Wireshark also to view the packets going out. You can see the pattern which unicornscan sends out. Try it & Share this tutorial.
Top Bottom