Intel Security

ScanLine v1.01

Command line port scanner.

ScanLine is a command-line port scanner for all Windows platforms. It can perform traditional ICMP "pinging", optional additional ICMP TimeStamp scanning, can show host response times and number of hops, do TCP scanning, simple UDP scanning, banner grabbing and hostname resolving. Scanning is performed in a fast highly parallel fashion without resorting to using multiple threads. It can handle huge numbers and ranges of IP addresses without a problem.

This is the usage line as reported by typing "sl" or "sl -?"

ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002

sl [-?bhijnprsTUvz]
[-cdgmq <n>]
[-flLoO <file>]
[-tu <n>[,<n>-<n>]]
IP[,IP-IP]

-? - Shows this help text
-b - Get port banners
-c - Timeout for TCP and UDP attempts (ms). Default is 4000
-d - Delay between scans (ms). Default is 0
-f - Read IPs from file. Use "stdin" for stdin
-g - Bind to given local port
-h - Hide results for systems with no open ports
-i - For pinging use ICMP Timestamp Requests in addition to Echo Requests
-j - Don't output "-----..." separator between IPs
-l - Read TCP ports from file
-L - Read UDP ports from file
-m - Bind to given local interface IP
-n - No port scanning - only pinging (unless you use -p)
-o - Output file (overwrite)
-O - Output file (append)
-p - Do not ping hosts before scanning
-q - Timeout for pings (ms). Default is 2000
-r - Resolve IP addresses to hostnames
-s - Output in comma separated format (csv)
-t - TCP port(s) to scan (a comma separated list of ports/ranges)
-T - Use internal list of TCP ports
-u - UDP port(s) to scan (a comma separated list of ports/ranges)
-U - Use internal list of UDP ports
-v - Verbose mode
-z - Randomize IP and port scan order

Example: sl -bht 80,100-200,443 10.0.0.1-200

This example would scan TCP ports 80, 100, 101...200 and 443 on all IP addresses from 10.0.0.1 to 10.0.1.200 inclusive, grabbing banners from those ports and hiding hosts that had no open ports.

Detailed option descriptions
-?
Shows the usage of the program as in the above text.

-b
Attempts to read the responses from the scanned ports and displays the results. If any part of the read text contains non printable characters these will be replaced with spaces and multiple spaces reduced to single spaces. A maximum of 2 lines are displayed.

-c
This is the connection timeout value for TCP ports and also the timeout value to wait for responses from UDP ports. For TCP scans, if no connection to the current port has been made to the remote host after this amount of time then it is assumed that there is no open port. For UDP scans, if no data response has been received from the remote host in the given time period or, with the case of the "extended" UDP scanning modes no ICMP port unreachable messages have been received after this time has elapsed it is assumed that the port is active.

-d
Specifies a delay (in milliseconds) between each port scanned. This applies to all sections of the scan - ICMP, TCP and UDP. Use this option to perform a "drip" scan so as to help avoid detection by an IDS or if you have a slow network connection such as with a modem.

-f
Reads IP addresses from the given file. You can successfully use the output file from a previous ScanLine session as input for this switch. However, any text file that contains valid IP addresses or address ranges can be used. Duplicates are removed before scanning.

-g
Binds the local IP endpoint to a given port number. This is used for "source port" scanning and can sometimes successfully bypass firewall rules that allow packets through with low numbered source ports (53 and 88 for example).

-h
Hides output from systems that have no open ports. Without this option all discovered live hosts will be displayed regardless of whether they had any open ports that were scanned for. Use this option to trim excess unwanted output.

-i
When looking for "live" hosts, ScanLine will normally use a standard ICMP Echo Request packet. Providing this option will cause ScanLine to use an additional host discovery pass using ICMP Timestamp Requests instead of Echo Requests. Some systems will block Echo Requests but will respond to Timestamp Requests.

-j
The output from ScanLine is normally made clearer by separating the information obtained from each IP address with a line of dashes. Use this option if you don't want the line separators to appear in the output.

-l
Specifies a TCP port list text file to read ports from. Ports in the file are in lines in the same format as specified on the command line i.e. 79,80-88.

-L
Specifies a UDP port list text file to read ports from. Ports in the file are in lines in the same format as specified on the command line i.e. 137,80-88.

-m
Binds the local IP endpoint to a given IP interface. If your system has multiple network cards or interfaces you can tell ScanLine to use a preferred IP address to bind to. Note that you can only specify the IP address of an active interface on your own system - you can't "spoof" packets by using an arbitrary IP address here.

-n
Specifies that no port scanning will take place. If all you want to do is discover live systems (ones that respond to ICMP) use this option. You can also specify -p (no pinging) in conjunction with -n if for example you simply wanted to resolve a list of IP addresses into hostnames.

-o
Specifies a file that the output from the program is sent to. Note that output will also appear on the screen at the same time. If the file already exists it will be overwritten. If you want to append output to the file without overwriting it then use the "-O" option.

-O
Same as -o but appends the program output to the text file instead of overwriting it.

-p
Don't "ping" each host before scanning. ScanLine will make no attempt to discover live hosts for scanning if this is used - it will simply go ahead and port scan all hosts regardless if they exist on the network or not. You could use this option to scan for systems that had certain ports open but were blocking ICMP packets.

-q
Specifies the maximum time that the program waits for a response from a ping. If no ping reply is received after this amount of the time the remote host will be regarded as "dead" and won't be scanned.

-r
Resolve IP addresses to hostnames. An attempt will be made to resolve each live IP address into a hostname. Even though the scan process in ScanLine is single threaded, up to 8 threads will be used for resolving hostnames if this option is specified

-s
Output in csv format. CSV format is usually used when you want to import a file into a spreadsheet program for further analysis. The format of the line that ScanLine outputs when this option is used is <IP>,<hostname>,<ping response time>,<hops>, <responds with ICMP unreachable>,<open TCP ports>,<open UDP ports>. No port banners are included in this output and if -b is specified on the command line it will be ignored when used in conjunction with -s.

-t
TCP port numbers to scan. The port numbers can be single numbers separated by commas and/or port ranges separated by the "-" character. For example sl -t 60,70,80-100 10.1.2.3 would scan TCP ports 60, 70, and 80 through 100 inclusive. No spaces are allowed between any of the numbers or ranges.

-T
Use the built-in TCP port list. If you don't explicitly specify any ports to scan on the command line, ScanLine will go ahead and use its built in list of ports. If you DO specify ports and you want to also include ScanLine's internal list of TCP ports use -T. For example, if you wanted to scan for UDP port 137 together will all built-in TCP ports you'd specify sl 10.1.2.3 -u 137 -T

-u
UDP port numbers to scan. The port numbers can be single numbers separated by commas and/or port ranges separated by the "-" character. For example sl -u 60,70,80-100 10.1.2.3 would scan UDP ports 60, 70, and 80 through 100 inclusive. No spaces are allowed between any of the numbers or ranges. This UDP scanning option uses known data probes for many common UDP services and are designed to produce a response from the scanned system. This ensures total accuracy of the UDP scanning; for the remote system to respond with a UDP packet the port that was scanned must by definition be open.


Under normal circumstances sending a UDP packet to a closed port will cause an ICMP Destination Port Unreachable message to be sent back. I say "under normal circumstances" because often a system will be filtered in some way such that it never responds in this fashion. This would lead to lots of false positive open ports. So what ScanLine does with it's UDP scanning is to first send a UDP probe to a "known closed port" on the target to see if it actually responds with an ICMP message. For this purpose ScanLine uses UDP port 1. If we do get an ICMP response the program will then assume that all further ports scanned that do NOT generate an ICMP message are open.


***** Windows 95/98/ME systems do not register ICMP destination port
***** unreachable messages via Winsock due to subtle differences in the way
***** Winsock is implemented when compared to Windows 2000 and XP. Thus
***** you will never see any open UDP ports detected using this technique
***** on these operating systems.

-U
Use the built-in UDP port list. If you don't explicitly specify any ports to scan on the command line, ScanLine will go ahead and use its built in list of ports. If you DO specify ports and you want to also include ScanLine's internal list of UDP ports use -U. For example, if you wanted to scan for TCP port 80 together will all built-in UDP ports you'd specify sl 10.1.2.3 -t 80 -U

-v
Verbose mode. Additional information will be shown if you set the program to verbose mode.

-z
Use this to randomize the order that IP addresses and ports will be scanned in. Normally ScanLine will scan the provided IPs and ports in numerical order. By using the "-r" option the IPs and port numbers will be "shuffled" into a random ordering. This can help to some extent in avoiding detection by intrusion detection systems.

Default Port Lists
The internal port lists used in ScanLine are as follows:

UDP ports

7 9 11 53 67-69 111 123 135 137 138 161 191 192 256 260 407 445 500 514 520 1009 1024 1025 1027 1028 1030 1033 1034 1035 1037 1041 1058 1060 1091 1352 1434 1645 1646 1812 1813 1900 1978 2002 2049 2140 2161 2301 2365 2493 2631 2967 3179 3327 3456 4045 4156 4296 4469 4802 5631 5632 11487 31337 32768-32790 43981

TCP ports

7 9 11 13 15 19 21 22 23 25 43 49 53 66-68 70 79 80 81 88 89 98 109 110 111 113 118 119 135 139 143 150 156 179 256-259 264 389 396 427 443 445 457 465 512-515 524 540 563 587 593 636 691 799 900-901 1024-1031 1080 1100 1214 1243 1313 1352 1433 1494 1498 1521 1524-1525 1529 1541 1542 1720 1723 1745 1755 1813 1944 2000 2001 2003 2049 2080 2140 2301 2447 2766 2779 2869 2998 3128 3268 3300 3306 3372 3389 4000 4001 4002 4045 4321 4444 4665 4899 5000 5222 5556 5631 5632 5678 5800 5801 5802 5900 5901 6000 6112 6346 6347 6588 6666-6667 7000 7001 7002 7070 7100 7777 7947 8000 8001 8010 8080-8081 8100 8383 8888 9090 10000 12345 20034 27374 30821 32768-32790

IP address and hostnames
Any item on the command line that is not associated with a "-" character is assumed to be an IP address or hostname. The addresses can be single numbers separated by commas and/or IP ranges separated by the "-" character. For example sl -t 80 10.1.2.3,10.1.2.4,10.1.2.5-10.1.2.20 would scan TCP port 80 on the machines 10.1.2.3, 10.1.2.4 and 10.1.2.5 through
10.1.2.20 inclusive. No spaces are allowed between any of the numbers or ranges.


To make life easier you can also specify ranges in a number of ways :- 10.1.2.2-254 would add all IPs from 10.1.2.2 to 10.1.2.254 inclusive.

10.1.2.2-3.254 would add all IPs from 10.1.2.2 to 10.1.3.254 inclusive.

Hostnames can be used in place of IP address, although obviously they do not make sense as part of an address range e.g. sl -p 2-200 www.microsoft.com

To best illustrate the use of ScanLine here are a series of examples.
Example #1:
Scan machine at 10.0.2.2 for all TCP ports from 1 to 200.

sl -t 1-200 10.0.2.2

Example #2:
Scan machines from 10.0.2.2 to 10.0.2.254 for all TCP ports in the range 1 to 65535 sending the output to the file "out.txt"

sl -t 1-65535 10.0.2.2-254 -o out.txt

Example #3:
Scan machines from 10.0.2.2 to 10.0.2.20 for TCP ports 80, 81, 88, 8000 and 8080 and UDP ports 31337 without pinging and append the output to the file "out.txt"

sl -pt 80,81,88,8000,8080 -u 31337 10.0.2.2-20 -O out.txt

Notice the use of the combined options "pt". This is perfectly legitimate.

Example #4:
Scan machines 10.0.2.2 to 10.0.2.254 for TCP ports 21 and 25 and show the banner responses. Include extra output information.

sl -vbt 21,25 10.0.2.2-254

Example #5:
Scan machines 10.0.2.1 to 10.0.2.254 for TCP ports 1 to 65535, showing the banner responses and with a delay of 5 seconds between each port scan. Include extra output information.

sl -vbt 1-65535 10.0.2.1-254 -d 5000

Example #6:
Scan machines 10.0.2.1 to 10.0.2.254 with no port scanning, only pinging. Resolve the IPs into hostnames.

sl -nr 10.0.2.1-254

Example #7:
Scan machines 10.0.2.1 to 10.0.2.254 with no port scanning or pinging. Resolve the IPs into hostnames.

sl -npr 10.0.2.1-254

Example #8:
Scan machines 10.0.2.1 to 10.0.2.254 for open UDP ports.

sl -U 10.0.2.1-254

Example #9:
Scan for systems that have open TCP ports 80 or 443, not caring if they respond to pings, then having found those perform a full port scan on only those systems.

sl -hpt 80,443 10.0.2.1-254 | sl -f "stdin"

Download this tool now