Review: Angry IP Scanner

["Kris Katterjohn" <katterjohn () gmail com>]

Hey everyone,

Fyodor wanted me to do a bit of a review of the Angry IP Scanner[1]:

It's a GUI-based Java program that, in its newest generation, is
cross-platform (should work on at least Windows, Linux and OS X).
I've tested it on Windows and Linux.

It didn't need any installing on Windows; it's just a single binary (950k).

On Linux I used their .deb package.

The IP Scanner does ping sweeps and some port scanning.  TCP and UDP
aren't raw because the author wants to make clear that it's not a
so-called "hacktool".

A big design difference between Nmap and the IP Scanner is that the IP
Scanner is multi-threaded instead of doing I/O multiplexing with
select().  You can choose a maximum number of threads for it to run at
a time (it uses one for *every* host).

For host specification it can take a range (you give start and end
addresses), or you can specify a netmask in address form (e.g.
255.255.255.0) or CIDR notation (e.g. /24) and it will set the end
address based on the start and netmask.  It can also read from a file,
or produce random addresses.  What's cool about their random address
generator is that you give it a maximum number of addresses to
produce, a base IP, and a netmask to narrow down the scope (give it
0.0.0.0 to behave like Nmap).  It doesn't avoid reserved IPs like Nmap
does, however.

It doesn't seem to support IPv6, but it doesn't stop a scan from going
with an IPv6 address.

It can do TCP, UDP or ICMP pings, except of course on XP SP2 the ICMP
ping won't work due to broken raw sockets.

When doing a raw ICMP ping, instead of waiting for a timeout and
retransmitting packets, it seems to send out a set (though
configurable) number of probes out at the same time.

For port scanning, it can take a range of ports much like Nmap (e.g.
1-3,5,7,10-15,6000-6010).

The TCP ping and port scanning seems to be broken on Linux.  When I
use a TCP ping probe, it reports every host as up.  When I use a
working ping probe (e.g. ICMP), and do a TCP port scan, it reports
virtually every host has having at least one open port (and hences
changes the host's state).

Since TCP has to be through connect() and it has to create a new
thread for every host, scans can be slow.  Doing the same scan with
the IP Scanner and Nmap with the default timing options as an
unprivileged user (hence doing connect()), Nmap is usually *at least*
twice as fast as the IP Scanner.  The IP Scanner hasn't been able to
beat Nmap in accuracy or speed in any tests I've tried.

After a scan is finished, you can use what's called an "opener" to
start a session with a selected IP.  You can setup different command
strings and it will open up things like a FTP, Telnet, or HTTP
session.

If the TCP ping and port scanning didn't seem to be broken on Linux,
and if raw sockets weren't broken on the Windows I have available,
this could be a pretty nice little scanner.  It doesn't need
installing on Windows and it has a cross-platform GUI.  But it doesn't
seem to offer much that Nmap doesn't already have in some way or
another.

One thing I do like about it is the ability to narrow down the random
IP generation to a given base IP and netmask.  This may not be easy to
implement in Nmap (since a user may or may not want a reserved IP, and
the random IP generation code would have to be changed to allow for
this), and probably not worth it.  For example, if you wanted random
IPs in the range of 192.*.*.*, should 192.168 be chosen or not?  It's
still pretty cool, though.

Thanks,
Kris Katterjohn

[1] http://www.angryziber.com/w/Home

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org