pnscan - a Parallel Network Scanner

Copyright (c) 2002-2020 Peter Eriksson <pen@lysator.liu.se>

----------------------------------------------------------------------

INTRODUCTION

Pnscan is a tool that can be used to survey IPv4 TCP network
services. IPv6 is currently not supported.

For example, it can be used to survey the installed versions of
SSH, FTP, SMTP, Web, IDENT and possibly other services.

The latest version of pnscan can be downloaded from:

	https://github.com/ptrrkssn/pnscan

There is also a small web page about it at:

	http://www.lysator.liu.se/~pen/pnscan


If you like it then I'd gladly accept a nice bottle of whisky,
some free beer or even just a "Thank you!" email :-)



INSTALLATION

Run "./configure && make" to configure & build. "make install" will install.

  FreeBSD 11.3 & 12.0
  Ubuntu 20
  CentOS 6 & 8
  OmniOS r151034
  Solaris 10 (requires a GCC that understands -pthread, v5 works)

When it has been built you can install it with "make install-all".
It will by default install in /usr/local/bin and /usr/local/man/man1

(Solaris 10 - Sun Studio 12.4 can be used to compile if you edit Makefile.in
and change -pthread to -thread and remove -Wall before running ./configure)

There is support for various package systems (FreeBSD ports, Linux RPM,
MacOS HomeBrew, Solaris "svr" packages and OmniOS Extra IPS) in the "pkgs"
subdirectory. See the pkgs/Makefile for details.


USAGE

Start pnscan with "-h" for online help.

pnscan tries to be smart as to how many threads to start -
it will dynamically start only as many as is needed to make
progress in the scan - up to a maximum either as specified with
the "-n" command line option, or 8 minus the maximum number of
available file descriptors (pnscan tries to increase
it to the max limit automatically) - or any internal limit
on the system.

Host ranges can be specified both as a CIDR - network
name or IP address / mask bit length and as a range.
When using CIDR notation - the first and last address
is ignored (normally used for broadcasts)

Some examples:
	192.168.0.0/24
	192.160.0.1:192.160.0.254
	arpanet/8

The CIDR names are looked up in "networks" (/etc/networks
or the YP/NIS+/whatever equivalent).

The host ranges can also be specified as a range (or
a single address) of hostnames or IP addresses:

	some.where.com:otherplace.where.com
	192.168.10.27:192.168.11.194
	localhost


Service/Port ranges can be specified both via symbolic names
looked up in "services" (/etc/services or YP/NIS+/whatever
equivalent) or as numbers:

	ssh:telnet
	22:23
	113

The strings used with "-w" and "-r" may contain escaped characters.
NUL characters are legal (\0) to use.

pnscan by default will start printing the output from the first line
recevied - *or* from the start of a match with "-r" (or from the first
line of the first match if used with the "-l" option).


EXAMPLES

# Scan network 192.168.0.0/24 for SSH daemons on port 22
pnscan 192.168.0.0/24 22
pnscan 192.168.0.1:192.168.0.254 ssh

# Scan hosts 192.168.10.34 ... 98 for IDENT servers, max 8 threads
pnscan -n8 -w"VERSION" 192.168.10.34:192.168.10.98 113

# Scan host 127.0.0.1 for WWW servers on all ports
pnscan -w"HEAD / HTTP/1.0\r\n\r\n" -r"Server:" 192.168.0.32 1:65525
pnscan -w"HEAD / HTTP/1.0\r\n\r\n" -r"Server:" localhost 1:65525

# Send binary data and expect the binary sequence FF 00 FF on port 145.
pnscan -W"05 5A 37" -R"FF 00 FF" 192.168.0.32 145

# Scan for Roxen servers and print the whole Server-line
pnscan -l -w"HEAD / HTTP/1.0\r\n\r\n" -r"Roxen" localhost 1:65525

# Scan for pidentd servers and try to locate the version
pnscan -w"VERSION" 192.160.0.0/24 113

# Scan network arpanet/24 for daytime servers and sort them IP-numerically
pnscan arpanet/10 daytime | ipsort

# Read host (&port) lines from stdin and scan the selected hosts for SSH
echo '192.160.10.11 ssh' | pnscan -v
echo '192.160.10.12' | pnscan 22



WARNING

Scanning of networks of which you do not have explicit permission
to do probably _will_ be considered abuse of network resources and
may cause problems for you. So *please* use this tool with great care.