------------------------------------------------------------------------------
FScan v1.12 - Command line port scanner.
Copyright 2000 (c) by Foundstone, Inc.
http://www.foundstone.com
------------------------------------------------------------------------------

FScan is a command-line port scanner. It will scan for both TCP and UDP ports.

This is the usage line as reported by typing "FScan", "FScan -h" or "FScan -?"


FScan [-abefhqnv?] [-cditz <n>] [-flo <file>] [-pu <n>[,<n>-<n>]] IP[,IP-IP]

 -?/-h - shows this help text
 -a    - append to output file (used in conjunction with -o option)
 -b    - get port banners
 -c    - timeout for connection attempts (ms)
 -d    - delay between scans (ms)
 -e    - resolve IP addresses to hostnames
 -f    - read IPs from file (compatible with output from -o)
 -i    - bind to given local port
 -l    - port list file - enclose name in quotes if it contains spaces
 -n    - no port scanning - only pinging (unless you use -q)
 -o    - output file - enclose name in quotes if it contains spaces
 -p    - TCP port(s) to scan (a comma separated list of ports/ranges)
 -q    - quiet mode, do not ping host before scan
 -r    - randomize port order
 -t    - timeout for pings (ms)
 -u    - UDP port(s) to scan (a comma separated list of ports/ranges)
 -v    - verbose mode
 -z    - maximum simultaneous threads to use for scanning



Detailed option descriptions
----------------------------

-?-h
Shows the usage of the program as in the above text.

-a
Appends the program output to the text file given in the "-o" option.

-b
Attempts to read the responses from the scanned ports and displays the
results. If any part of the read text contains non-printable characters these
will be shown using their hexadecimal values enclosed in square brackets e.g.
[0D][0A]. A maximum of 256 bytes is read.

-c
This is the connection timeout value for TCP ports and also the timeout value
to wait for responses from UDP ports. For TCP scans, if no connection to the
current port has been made to the remote host after this amount of time then
it is assumed that there is no open port. For UDP scans, if no "ICMP
destination port unreachable" message has been received from the remote host
after this time has elapsed it is assumed that the port is active. The default
value for this setting is 600 ms.

This number also represents the time to wait for data to be received when
reading responses from the remote host.

-d
Specifies a delay (in millisecs) between each port scanned. Use this option
to perform a "drip" scan so as to help avoid detection by an IDS.

-e
Resolve IP addresses to hostnames. An attempt will be made to resolve the
current IP address into  a hostname and the name will be displayed next
to the IP address in the output. This option is most useful when performing
a ping scan of a range of IPs. It is NOT recommended for port scans since
the hostname will be resolved for every port on each IP scanned.

-f
Reads IP addresses from the given file. You can successfully use the output
file from a previous FScan session (if you used the "-o" option) as input for
this switch. However, any text file that contains valid IP addresses or
address ranges can be used. Essentially it treats each line of the supplied
file in the same manner as it would be treated on the command line.

-i
Binds the TCP ports used for scanning to the given local port number.

-l
Specifies a port list text file to read ports from. Ports in the file are in
lines in the same format as specified on the command line i.e. 79,80-88. If
you need to use UDP ports then place a "-u" before the ports on the line e.g.
"-u130-140".

-n
Specifies that no port scanning will take place. If you do not specify the -q
(quiet mode) option then using -n will ping each host. If you do use the -q
option then no pinging will be done. This is useful if you simply want to
create a list of active hosts in a given IP range. Use the -e option if you
want to resolve the active hosts into hostnames.

-o
Specifies a file that the output from the program is sent to. Note that output
will also appear on the screen at the same time. If the file already exsists
it will be overwritten. If you want to append output to the file without
overwriting it then use the "-a" option.

-p
TCP port numbers to scan. The port numbers can be single numbers separated by
commas and/or port ranges separated by the "-" character. For example

  FScan -p 60,70,80-100 10.1.2.3
 
would scan TCP ports 60, 70, and 80 through 100 inclusive. No spaces are
allowed between any of the numbers or ranges.

-q
Tells FScan to not attempt to ping the host before scanning. By default FScan
will ping each IP to be scanned before trying to port scan it. If no ping
response is received the IP address will be skipped. Using "-q" forces the
program to scan the IP address without even attempting to ping it.

-r
Use this to randomize the order that the ports will be scanned in. Normally
FScan will scan the provided ports in the order that they are given on the
command line. By using the "-r" option the port numbers will be "shuffled"
into a random ordering, guaranteeing that no two ports numbers are in
ascending numerical sequence. This can help to some extent in avoiding
detection by intrusion detection systems.

-t
Specifies the maximum time that the program waits for a response from a ping.
If no ping reply is received after this amount of the time the remote host
will be regarded as "dead" and won't be scanned. The default value for this
setting is 500 ms.

-u
UDP port numbers to scan. The port numbers can be single numbers separated by
commas and/or port ranges separated by the "-" character. For example

  FScan -u 68,69,130-140 10.1.2.3
 
would scan UDP ports 68, 69 and 130 through 140 inclusive. No spaces are
allowed between any of the numbers or ranges.

Due to the nature of detecting open UDP ports, UDP scanning can be prone to
inaccuracies and is also much slower than TCP port scanning. You should play
around with the "-c" connection timeout value until you receive satisfactory
results.


-v
Verbose mode. Additional information will be shown if you set the program to
verbose mode.

-z
FScan is a multi-threaded program. Each ping/scan/read combination is run in a
separate thread to maximize efficiency. Some systems are capable of running
many simultaneous threads with no problems. However, some OS's such as Windows
95/98 experience stability problems if you push the number of threads too
high. Default values for this option are 64 threads for NT system and 20 for
Win 9x. It is not recommended you use much more than the default setting for
Win 9x but NT may benefit from a higher number. The maximum number you can use
is 256.



IP address and hostnames
------------------------

Any item on the command line that is not associated with a "-" character is
assumed to be an IP address or hostname. The addresses can be single numbers
separated by commas and/or IP ranges separated by the "-" character. For
example

FScan -p 80 10.1.2.3,10.1.2.4,10.1.2.5-10.1.2.20
 
would scan TCP port 80 on the machines 10.1.2.3, 10.1.2.4 and 10.1.2.5 through
10.1.2.20 inclusive. No spaces are allowed between any of the numbers or
ranges.

To make life easier you can also specify ranges in a number of ways :-

10.1.2.2-254
would add all IPs from 10.1.2.2 to 10.1.2.254 inclusive.

10.1.2.2-3.254
would add all IPs from 10.1.2.2 to 10.1.3.254 inclusive.

Hostnames can be used in place of IP address, although obviously they do not
make sense as part of an address range e.g.

FScan -p 2-200 www.microsoft.com

All IP addresses that end in .0 or .255 will be ignored by FScan.


------------------------------------------------------------------------------


To best illustrate the use of FScan here are a series of examples.


Example #1:
Scan machine at 10.0.2.2 for all TCP ports from 1 to 200.

FScan -p 1-200 10.0.2.2

-------------------

Example #2:
Scan machines from 10.0.2.2 to 10.0.2.254 for all TCP ports in the range 1 to
65535 sending the output to the file "out.txt"

FScan -p 1-65535 10.0.2.2-254 -o out.txt

-------------------

Example #3:
Scan machines from 10.0.2.2 to 10.0.2.20 for TCP ports 80, 81, 88, 8000 and
8080 and UDP ports 31337 without pinging and append the output to the file
"out.txt"

FScan -aqp 80,81,88,8000,8080 -u 31337 10.0.2.2-20 -o out.txt

Notice the use of the combined options "aq" before the "p". This is perfectly
legitimate.

-------------------

Example #4:
Scan machines 10.0.2.2 to 10.0.2.254 for TCP ports 21 and 25 and show the
banner responses. Include extra output information.

FScan -vbp 21,25 10.0.2.2-254

-------------------

Example #5:
Scan machines 10.0.2.1 to 10.0.2.254 for TCP ports 1 to 65535, showing the
banner responses and with a delay of 20 seconds between each port scan.
Include extra output information.

FScan -vbp 1-65535 10.0.2.1-254 -d 20000

-------------------

Example #6:
Scan machines 10.0.2.1 to 10.0.2.254 with no port scanning, only pinging.
Resolve the IPs into hostnames.

FScan -ne 10.0.2.1-254

-------------------

Example #7:
Scan machines 10.0.2.1 to 10.0.2.254 with no port scanning or pinging.
Resolve the IPs into hostnames.

FScan -qne 10.0.2.1-254


==============================================================================


FOUNDSTONE, INC.

Terms of Use

1. Acceptance of Terms

1.1.
Read these Foundstone, Inc. ("Foundstone") Terms of Use ("Terms") carefully
before you ("You") accept these Terms by: (a) selecting the "Accept" button at
the end of the Terms, or (b) downloading any of the Foundstone tools ("Tools")
located on this web site.  If You do not agree to all of these Terms, select
the "Decline" button at the end of the Terms, or do not download any of the
Tools.

1.2.
The Terms are entered into by and between Foundstone and You.  Foundstone
provides the Tools to You strictly subject to the Terms.

2. Permitted Use

2.1.
The Tools are freeware that You may download them for Your personal,
non-commercial use only.

2.2.
You may not modify, reverse engineer, make derivative works of, distribute,
transmit or sell any of the Tools without the express written consent of
Foundstone. 

2.3.
The Tools may not be used by You or any other party for any purpose that
violates any local, state, federal or foreign law.  You understand that
breaking into any network or computer system not owned by You may be illegal.

3. No Express or Implied Warranty

3.1.
THE TOOLS ARE PROVIDED TO YOU "AS IS."  FOUNDSTONE MAKES NO WARRANTIES OR
REPRESENTATIONS, EXPRESS OR IMPLIED, ABOUT THE EFFECTIVENESS, COMPLETENESS OR
FITNESS OF THE TOOLS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

4. Limitation of Liability

4.1.
YOU AGREE THAT FOUNDSTONE WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING OUT OF YOUR USE OF, OR
INABILITY TO USE, THE TOOLS, INCLUDING WITHOUT LIMITATION ANY DAMAGE TO, OR
VIRUSES OR "TROJAN HORSES" THAT MAY INFECT OR INVADE, YOUR COMPUTER EQUIPMENT
OR OTHER PROPERTY, EVEN IF FOUNDSTONE IS EXPRESSLY ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.

4.2.
YOU AGREE TO HOLD FOUNDSTONE HARMLESS FROM, AND YOU COVENANT NOT TO SUE
FOUNDSTONE FOR, ANY CLAIMS BASED OR YOUR USE OF, OR YOUR INABILITY TO USE, THE
TOOLS.

5. Indemnification

5.1.
You agree to indemnify and hold Foundstone and its subsidiaries, affiliates,
officers, agents, and employees harmless from any claim or demand, including
attorney's fees, made by any third party due to or arising out of Your use of
the Tools, breach of the Terms, or violation of the rights of another.

6. Intellectual Property Rights

6.1.
The Tools and all names, marks, brands, logos, designs, trade dress and other
designations Foundstone uses in connection with the Tools are proprietary to
Foundstone and are protected by applicable intellectual property laws,
including, but not limited to copyrights and trademarks.  Accordingly, You may
not modify, reverse engineer, make derivative works of, distribute, transmit
or sell any of the Tools, nor may You remove or alter any of Foundstone's
trademarks from the Tools or co-brand any of the Tools, without the express
written consent of Foundstone.

7. Miscellaneous

7.1.
California law and controlling United States federal law govern any action
related to the Terms.  No choice of law rules of any jurisdiction apply.  You
and Foundstone agree to submit to the personal and exclusive jurisdiction of
the California state court located in Santa Ana, California and the United
States District Court for the Central District of California.

7.2.
The Terms constitute the entire agreement between You and Foundstone and
govern Your use of the Tools, superseding any prior agreements between You and
Foundstone (including, but not limited to, prior versions of the Terms).

7.3.
Foundstone controls and operates this website from various locations in the
United States of America and makes no representation that these Tools are
appropriate or available for use in other locations.  If you use this website
from locations outside the United States of America, You are responsible for
compliance with applicable local laws, including, but not limited to, the
export and import regulations of other countries.

7.4.
These Terms and this website could include inaccuracies or typographical
errors.  Foundstone may make improvements and/or changes to the Terms or the
website at any time without notice.

7.5.
The failure of Foundstone to enforce or exercise any right or provision of the
Terms does not constitute a waiver of such right or provision.

7.6.
In the event any provision of this Agreement is held to be unenforceable in
any respect, such unenforceability shall not affect any other provision of
this Agreement, provided that the expected economic benefits of this Agreement
are not denied to either party.
