-S

Only send requests, do not listen for their responses.

-L

Only listen for responses, do not actually send the matching requests. There's nothing that forces the sender and receiver to be the same host -- in fact, split operation is explicitly supported.

-e

Show responses from hosts that are up but aren't accepting connections to the requested port.

-E

*ONLY* show responses from hosts that are up but aren't accepting connections to the requested port -- do not display ports that are up.

-t [number of seconds]

Set maximum number of seconds that may pass before listening process gives up on receiving any more responses. This timer is reset with every good response, whether the port is up or down.

-b [bandwidth][b][k][m][g]

Limit the amount of bandwidth that scanrand may use for its outgoing requests. -b 100k would limit said bandwidth to 100kbyte/s. Note, since outgoing SYN frames constitute only 64 bytes on the wire, very little bandwidth can go very, very far. The bandwidth value of 0 -- set by default -- corresponds to no bandwidth limitation.

-N

Use Reverse-DNS to determine a DNS host name that matches the source of a detected packet.

-NN

Use Reverse-DNS to determine a DNS host name that matches the intended destination of a given packet.

-v

Verbosity Level 1: Mark the sending of packets.

-vv

Verbosity Level 2: Output all interpreted TCP and IP headers.

-d <interface>

Use this Layer 2 Device for all traffic.

-i <IP Address>

Use this Layer 3 Source IP address for all traffic.

-p <Port>

Use this Layer 4 TCP Source Port for all direct traffic. TCP Traceroute will use this port as a basis for its activity, but will vary its actual selected port by up to 255.

-s <Seed>

Use this value as a cryptographic seed for authenticating incoming packets. This value is normally generated automatically, but needs to be manually specified and synchronized when splitting the sender and receiver processes across invocations, hosts, and possibly entire networks. It is highly advised not to repeat the same seed for two separate scans; spoofing responses becomes much easier given that circumstance.

-f <file>

Read list of targets from a file. Syntax follows whatever is accepted on the command line.

-l <from-to>

Stateless TCP Tracerouting -- instead of just iterating across ports and hosts, we're iterating across network hops and reconstructing the network based on the ICMP errors (with original copies of our IP and first 8 bytes of TCP. May function in tandem with standard host/port lists. Specify minimum and maximum hop-distance you want to map, as in scanrand -l1-20 www.foobar.com

-c

Verify Inverse SYN Cookies in returned ICMP errors. Not enabled by default.

-D

Actively discover distance to target host. This is done by sending it an invalid ACK, which immediately forces a TCP RST. It turns out that lots of systems (including Minewt, oops) attempting to return replies as fast as possible will use the incoming packet as a prototype for the response, flipping only those fields that absolutely need to be. This doesn't include TTL...so what happens is, we send out our ACK probe with a TTL of around 180. No normal host will ever have a TTL in that range, and no normal network will hop down from the 255's into there. Now, we can look at returned RST's, see the TTL in the impossible range, and know that we caused it. Divide by two to get the average distance (between getting there and getting back, usually identical but not always due to asymmetric routing). "Distco mode" is flexible enough to handle when TTL's *are* handled correctly, and in at least one case, will determine hopcounts through firewalls that otherwise try to scrub the TTL back up to 64. On the flip side, at least one PIX likes to respond to an ACK with a locally produced RST|ACK, for some unimaginable reason. Great way to find out if you're behind a PIX, but it kills Distco dead (sort of like the 80's).

Instead of using a comma/dash notated port range, like "80,20-25", several default port ranges have been precompiled into scanrand. They are:

quick

Quick scanning hits the top one or two dozen TCP service ports that are often enabled on a given server. This translates directly to: 80,443,445,53,20-23,25,135,139,8080, 110,111,143,1025,5000,465,993,31337, 79,8010,8000,6667,2049,3306 This is the default scan mode when scanning a single host. When multiple hosts are scanned, scanrand automatically defaults to scan only port 80 (HTTP).

squick

Super-Quick scanning hits the top five or six TCP service ports that are very often enabled on a given server. This translates directly to: 80,443,139,21,22,23

known

Known Port Scanning uses IANA's list of TCP port numbers, as well as any other port numbers observed by Fyodor of the nmap project, to select 1150 ports from the 65K possible to scan. This is equivalent to the nmap "fast scan" option.

all

Scans all ports -- 0(which is a valid port!) to 65535.