Unicornscan is an asynchronous network stimulus delivery/response recording tool. Meaning it sends out broken/unorganized/fragmented packets (without a regular pattern unlike other port scanning tools) to a host and waits for the target’s response.

After getting the response the TTL value is calculated for each port and thereby identifying the operating system. For eg, if the ttl=128, the operating system is Windows and so on.

Pentesters use this tool when regular port scanning doesn’t work as the target might have enabled port scanning detection or has enabled IDS/IPS or honeypots. One cool feature of unicornscan is that it uses different threads to send out packets & to receive them, unlike other port scanners.

Note: This tool is not available by default in Kali Sana


Syntax: Unicornscan <options> <target>
-b, --broken-crc     *set broken crc sums on [T]ransport layer, [N]etwork layer, or both[TN]
-B, --source-port    *set source port? or whatever the scan module expects as a number-c, --proc-duplicates process duplicate replies
-d, --delay-type     *set delay type (numeric value, valid options are `1:tsc 2:gtod 3:sleep')
-D, --no-defpayload   no default Payload, only probe known protocols
-e, --enable-module  *enable modules listed as arguments (output and report currently)
-E, --proc-errors     for processing `non-open' responses (icmp errors, tcp rsts...)
-F, --try-frags
-G, --payload-group        *payload group (numeric) for tcp/udp type payload selection (default all)
-h, --help            help
-H, --do-dns          resolve hostnames during the reporting phase
-i, --interface      *interface name, like eth0 or fxp1, not normally required
-I, --immediate       immediate mode, display things as we find them
-j, --ignore-seq     *ignore `A'll, 'R'eset sequence numbers for tcp header validation
-l, --logfile        *write to this file not my terminal
-L, --packet-timeout *wait this long for packets to come back (default 7 secs)
-m, --mode           *scan mode, tcp (syn) scan is default, U for udp T for tcp `sf' for tcp connect scan and A for arp for -mT you can also specify tcp flags following the T like -mTsFpU for example that would send tcp syn packets with (NO Syn|FIN|NO Push|URG)
-M, --module-dir     *directory modules are found at (defaults to /usr/lib/unicornscan/modules)
-o, --format         *format of what to display for replies, see man page for format specification
-p, --ports           global ports to scan, if not specified in target options
-P, --pcap-filter    *extra pcap filter string for reciever
-q, --covertness     *covertness value from 0 to 255
-Q, --quiet           dont use output to screen, its going somewhere else (a database say...)
-r, --pps            *packets per second (total, not per host, and as you go higher it gets less accurate)
-R, --repeats        *repeat packet scan N times
-s, --source-addr    *source address for packets `r' for random
-S, --no-shuffle      do not shuffle ports
-t, --ip-ttl         *set TTL on sent packets as in 62 or 6-16 or r64-128
-T, --ip-tos         *set TOS on sent packets
-u, --debug                         *debug mask
-U, --no-openclosed       dont say open or closed
-w, --safefile       *write pcap file of recieved packets
-W, --fingerprint    *OS fingerprint 0=cisco(def) 1=openbsd 2=WindowsXP 3=p0fsendsyn 4=FreeBSD 5=nmap 6=linux 7:strangetcp
-v, --verbose         verbose (each time more verbose so -vvvvv is really verbose)
-V, --version         display version
-z, --sniff           sniff alike
-Z, --drone-str      *drone String
*:            options with `*' require an argument following them

Lab 1: Scan a host for services & OS(TTL)

In this lab, we scan a host with IP address for open ports. Also by doing so, we get the TTL value of corresponding ports and thereby we can identify the operating system

Command: unicornscan –Iv
Basic Scan

Lab 2: Perform a TCP SYN Scan on a whole network

In this lab, we perform a TCP syn scan on a whole network range of By doing so we have multiple benefits. All the live hosts will be visible to us along with the services/ports open & TTL values.

Stealth syn scan is a method by which packets with syn flags are sent to a port of a target host. If the port is open, the reply from the target will be a packet with SYN/ACK flag else a packet with RST flag. Thus the attacker can identify what all services are running on the target host.

Command : unicornscan -msf -v -I

Lab 3: Perform a UDP scan on the whole network

In this lab, we perform a UDP scan on a whole network range of By doing so we get to know all UDP services running on a network.

Command: unicornscan –mU –v –I
UDP Scan

While performing scans with unicornscan, turn ON Wireshark also to view the packets going out. You can see the pattern which unicornscan sends out. Try it & Share this tutorial.