Wednesday, January 19, 2022

grIP v1.0

For my port and IP scanning needs I often used Angry IP Scanner. I've been using it in Windows XP since the early 00's and it's still good, even after its more recent Java rewrite.

While using it a few days ago it, some features of it and the lack of some others, gave me a nudge to write my own scanner. Go seemed like a good language for it, given it's amazing multithreading abilities and its easy to use standard library.

I called it grIP and it has a few somewhat unique, I think, features.
  • Shuffled, not random, scanning. I wanted it to shuffle the whole list of IP-port combinations and scan them in parallel. Angry IP Scanner has random scanning (but not shuffled) which in theory is not good for scanning humongous IP ranges (being a GUI app) and it will also repeat some IPs. So, for example, scanning 254 random IPs on the range will not scan all of the IPs because some will be chosen more than once. The main problem with making a shuffled scan is that when scanning ranges like the whole IPv4-port range, which is 281470681743360 ports, shuffling it properly is impossible. Even having to keep a single bit for every of these ports to remember whether it's been scanned or not would occupy 32GiB of RAM. So I chose to do a half-assed shuffle: I chose a random starting point on that range, I chose a somewhat random step size which is co-prime with the size of the range, and then step through the range using that step size until I reach again my starting point. With the two numbers being co-primes this method is guaranteed to visit every port exactly once before looping back to the starting point. On top of it every 1 million ports generated with this method are also buffered and truly shuffled to further improve the shuffle. So, not a perfectly shuffled scan, but it's shuffled and it uses very little RAM.
  • One thread per port, not one thread per IP. Angry IP Scan uses one thread per IP, so if you are trying to scan 65354 ports in a 254 IP LAN, it will at best run 256 threads, and it's still quite slow. GrIP can use 3900 threads, at least on a Linux box. The 1 thread per IP that seems to be used by Angry IP Scanner doesn't seem to be an arbitrary limitation though, and it may even have it's uses. If you scan a single IP with many threads, it may fail to respond to some of your port checks and you may see less open ports than it really has. So keep that in mind when scanning with grIP.
  • IPv6 support. Limited to single IPs but it's there. I tried to add support for IPv6 ranges, but it needs some datatypes to be reworked so I may do that in a future version if I need it or if someone requests it.
  • Scan partitioning, for cooperative scans. You can split the ports to be scanned and do only part of the scan while other computers or other people do the other parts.
It's a console app that runs on Windows, Linux, Mac and the Raspberry Pi (well, any ARM Linux really). Similarly to Aperito, it uses a non standard style of command line arguments where the order matters and "-h" style arguments don't exist. 

Some example commands:
  • grip
    Scans all ports in your LAN (if that's your range).
  • grip 80,20-25
    Same range but only port 80 and ports 20 to 25.
  • grip 80,20-25
    Same but CIDR notation.
  • grip 22,80 2a00:1450:4014:80e::200e
    Port 22 and 80 on one IPv4 and one IPv6.
  • grip
    All ports on
  • grip 80-85 90-95
    Ports 80 to 85 on one IP and ports 90 to 95 on a range of IPs.
  • grip sockets=2 timeout=100
    All ports in your LAN but using only 2 instead of the default 100 sockets in parallel and with a 100ms timeout instead of the default 2000ms. The sockets and timeout parameters can go anywhere in the arguments.
  • grip 1/3 sockets=3900
    grip 2/3 sockets=3900
    grip 3/3 sockets=3900
    Three commands, to be run on three separate computers, that cooperatively scan the whole IPv4 internet for any open ports using 3900 sockets each in parallel. It will still never finish but it's 3 times faster than doing it alone. :-)
  • grip rdns
    Scans a range and also shows the reverse DNS of any finds. Again, the "rdns" can go anywhere in the arguments.
  • grip 192.168.0./24 file=mylan.txt
    Scans your LAN and appends the open ports found to mylan.txt.
There are also a couple of verbosity related commands and you can find more info by simply running the program in a console so that it prints a help page.

  The latest version can be downloaded from here, and the signature from here.

Update: v1.0.1 Fixes a bug in Windows and some tiny details in the help page.

No comments:

Post a Comment

Popular Posts