RE: Unicornscan

[robert () dyadsecurity com]

> > That's really cool. It's written entirely in C, I imagine? How is a
> > "unicornnode" set up?
> >
> > -dave

(I'm forwarding this for Jack, who isn't subscribed - Robert)

You just start a couple of nodes in "drone" mode (the full code is missing in the 0.4.2 release to support that) and 
inform the "master" that its "drones" are remote now, and it wont fork processes to handle the work, it'll just connect 
to them over a tcp socket. When you start one of the scanner "nodes" in "drone" mode, the      master thread just acts 
as a proxy to the worker, allowing a remote "master" to talk to the worker on non-local boxes. The documentation for it 
is terrible right now and the code isn't even complete in the release (though if you were clever you could see what I 
took out and get it working again without a lot of pain).             

The next release will have a lot more support for a more simple interface for "clustering" thats "user-friendly" (one 
of the reasons it was removed) from the code    thats on the website now. It turns out that people really like that 
feature (something i didn't plan for) so we're working on a new interface for it anyhow.          

The tcp connection code is POC at this point, and is already mostly rewritten (for a 2 way `socket' type thing) 
possibly even exporting a "socket API" in the near    future with a list of stacks it knows how to act like (though it 
will be a while before it behaves like a real stack in some respects).                               

We are even planning to add python or some scripting support to its "configuration" syntax for doing things that are 
*ahem* more complex (like more involved payload  generation without writing in C). But there is a lot of things to get 
done, the code base is growing really fast, so I spend quite a bit of time removing things and  making generic 
replacements.

Currently I'm removing libnet and replacing that with a library (that I'm writing :/) that has a better more 
`fragrouter' type interface for IDS evasion thats easy to use from a higher level. Oh yeah, its written in C and it 
uses flex/bison too.

Also adding TCP triggers to allow for custom payload content.  This is a poc format:
} triggers[] = {
{80, "OPTIONS / HTTP/1.1\r\nHost: %i:%p\r\n\r\n", "^(Server|Allow)"}
                                                                                                                        
                                              
We will support ASCII, octal, hex, etc just like the UDP custom payloads.
                                                                                                                        
                                              
Anyhow id like to hear about more things people want to use it for :]. Port scanning is a bit dull, it's certainly 
possible to up the application layer support in the modules to allow some neat stuff.

Jack                                                                                                                    
                                              

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
http://www.unicornscan.org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave