NScan.org: the legend is still here ;)

NScan itself is a port scanner, which uses connect() method to find the list of the host's open ports. The difference from the most of other portscanners is it's flexibility and speed. The maximum speed seen by beta-testers was over 500 ports per second, and it wasn't a maximum. Maximum speed depends on network bandwidth and PC speed. On this screen shot you can see the real speed of 19.75 ports per second while scanning 145 ports on remote host on dial-up.

Engine supports numerous settings, operation modes and customizations, including localization.
You have different ways to specify hosts - single, range or different kinds of lists, even some raw unformatted data. It may be IP, "crippled" IP or hostname.
Ports may me specified in different ways too - single ports, ranges, lists, known to system or to scanner their combinations.
You can tune your output - will you write logs or not, which detail level should be for logs or output screen. You can copy output to clipboard - as single address, as socket, as list, etc. You can tune your scan speed - from the very low to uncontrolled. You can set traffic priority (if system allows you to do it).
You can even run it remotely from command line and monitor it's activity with an additional console utility, that monitors "virtual console" file.
It can minimize to tray, load with the system startup, search for his own upgrades, change it's interface language on the fly, it can easily deal with it's separate kit utilities - dig, whois and traceroute.

What else will you require from portscanner?

This section contains general readme file (it's not so often read as it must be).
It's a kind of strict user manual - some performance issues, hints, etc. are available either as FAQ, or at forum.


Necrosoft NScan
Version 0.9.1 readme
Author: Averk/Necrosoft (averk@nscan.org)

What's new in 0.9.1:

- Added Save/Load buttons to the options dialog, that will assist in creating performance profiles and for modifications of the CD version options.
Same is for other utilities.
- Whois: fixed link bug.
- Introduced a business card CD version, that runs directly from CD and doesn't touch system registry. CD is recordable and is open for write.
See special notes for CD version.

What's new in 0.9:

- Completely removed adware and made it simply shareware.
- Added all utilities in one pack.
- Fixed bug with window sizing.
- Fixed nasty bug with tray menu that prevented it from proper hiding.
- Fixed bug with utilities call under NT (unclean parameters).
- Fixed some things in credits scroller and removed splash.
- DIG: fixed control bug that caused it to close prematurely.
- Some minor changes.

What's new in 0.8:

- First of all, this file - now it has something more than just a site URL.
- Enforced timeouts. Yeah, it won't freeze so long on a dead host.
- Engine is completely rewritten to make it more flexible. Though nothing revolutionary is written, there's much more space for enhancements (fairly, it's mostly for easier modifications). However, I hope to make some good surprises with new functionality soon :)
- Numerous bugfixes, the most awful of them - incorrect command-line parser.
- New command-line options for remote telnet control.
- Virtual console. Basically, it's a kind of log that may be viewed at the moment of change by tail utility (tail.exe is included).
- Logs and clipboard exchange formats may be freely changed now.
- I've removed third-party ad components at last. No spyware (but was it?).
Ad component is now my own and it doesn't collect anything. Info may be collected via cookies as with any other banners on my site, but there's nothing special from me.
- News engine is rebuilt, now it may notify you about new releases (at your permission).
- Language packs. Yeah, you can customize any text strings in any language and way you want.
- Added two more source file parsers. Current set: host list, socket list, some IP's.
- And, finally, it's modular: whois, traceroute and dig are separate programs, which may be run either from NScan or alone.

Introduction to this reference (an official word):

NScan is a kind of a kit for testing network security and reliability, which can solve numerous problems on your network. Basically, it's an extremely fast and flexible portscanner for Windows, which is specially designed for scanning large networks and gathering related network/host information. It's designed as an aid for network administrators and should not be used in order to abuse someone. The responsibility for the correct use of this kit remains with you. See license.txt.

User's manual:

1. Interface:
1.1. Host selector.
1.2. Port range selector.
1.3. Output and log detail level selectors.
1.4. Output window.
1.5. Status bar.
1.6. Other controls.
2. Options.
2.1. Interface.
2.2. Tools.
2.3. Output formats.
2.4. Packet customization.
2.5. Speed.
2.6. General system options.
3. Command line.
4. Socket manipulations.
5. Virtual console.
6. Adware.

1. Interface:

1.1. Host selector. Has five modes:
- Host range: scans from initial to final host or vice versa, in ascending order. Host names may be either as IP addresses of valid hostnames.
"Crippled" IP's (though they are also valid) are also acceptable (e.g 2130706434 as, or 212.3070643 as; and the like are, surely, unacceptable). If one of the hosts it invalid, scans only one valid host.
- Single host: scans only initial host.
- Host list: gets the list from file. Same types of addresses as mentioned are valid. Takes one address per line, leading whitespaces do not matter.
Comments at line are accepted as soon as they separated from hostname with at least one whitespace character or semicolon (':').
- Socket list: As in the previous case, but requires a port number after whitespace(s) or/and semicolon(s), e.g. " : 80". Discards port range settings.
- Some IP's: Tries to find a valid IP address at line. It means that unlike in previous cases, 127.0.1 (which is isn't valid. May help greatly for scanning DNS zones, including those retrieved by AXFR request.

1.2. Port range selector. Has seven modes:
- Port ranges list: lists comma-separated port ranges and single ports.
- Windows default services: uses 'services' file from your system. BTW, funny, but it doesn't contain http.
- Known services: uses NScan's 'services' file (more than 3200 entries) - it's the set of once most recent known ports.
- User-defined services: uses "userdef.txt" in NScan's directory as 'services'
- Known+user-defined: obvious
- All defined services: adds windows services to the previous selection
- All defined + port list: obvious too :)

1.3 Output and log detail level selectors: six for output + "no logs" for logs
- Normal: only open ports
- Network unreachable:
Catches the following errors:
- Timeout:
- Timeout and network unreachable: obvious, yeah?
- Explicit: tracks all except WSAECONNREFUSED (simply closed port)
- Absolute: tracks _ALL_

1.4. Output window:
I can only add that right click opens a menu and report columns can be rearranged and sorted.

1.5. Status bar: briefly.
First line: status; last host; last port; total scanned amount; scan speed; open ports amount; number of sockets in use, maximum sockets to use.
Second line: news line (shows current news from Necrosoft, linked to site); '?' - force news retrieval; network load (heuristic); time left; progress indicator;

1.6. Other controls.
Other control use may be deducted from their names and tooltips that are available for all of them. I only want to mention "NECROSOFT" button, which appears on the place of the "Register" button after registration: double-click shows splash screen.

2. Options.

Buttons Save and Load allow to save and load configuration profiles. It may be useful for different speed profiles, CD version tuning, etc.

2.1. Interface:
- Minimize to system tray: no comments.
- Custom colors/pictures, positioning: for better appearance of result list.

2.2. Tools:
Contains paths to additional modules and specifies if to perform an action on the initial host upon module launch, e.g. trace the route to the first host when you press "Traceroute" button in NScan. If paths are incorrect, corresponding buttons are grayed.

2.3. Output formats: Has brief help and more detailed help under "more" button.
- Log entry: specifies how should log entry look like. Don't forget to put %n at the end of line: it's a newline character.
- Clipboard: specifies format for "Custom copy" and "Copy selected" at the output window. No newline is needed.
- Console: format for "virtual console" (see below) - same as for log.

2.4. Packet customization:

- Send OOB data: sends OOB packet to open port. Basically is outdated, may only help to find unpatched 95's on the network (old nuke exploit).
- Type of service: two selectors. RTFM. Don't touch unless you know TCP/IP packet structure or at least, TOS considerations. Nor guarantied to work everywhere - just sets options on a socket, but winsock may ignore it.
Windows sockets:
- Socket limit: number of sockets that may be opened simultaneously.
- Update: time interval when NScan tries to find more spare sockets if "Dynamic allocation" is switched on.
- Cleanup timeout: time, after which socket assumes to be timed out and is
forcibly removed from queue.

2.5. Speed: two deeply connected values.
- Synchronize by: time between the socket queue additions. 0 means full local bandwidth (depends also on PC performance).
- Speed limit: heuristically accounted speed

2.6. General system options.
- Run as system service: runs at startup and puts itself to tray, right click opens a tray menu, click opens scanner window.
- Don't close: forces close (X) button to act as "minimize" - useful to keep scanner alive when it's run as 'service'
- Disable news retrieval: doesn't connect you to server for news and updates retrieval.
- Disable upgrade notifications: upon news retrieval, ignores upgrade message.
- Localization: hope it's obvious. "Get more" brings you to the support site.

3. Command line
Command line accepts following options:

short long <parameters> description

-i -ini <start address> start hostname
-f -fin <end address> end hostname
-p -ports <ports> port list
-F -list <list file> list file name
-l -log <log file> log file name
-N -forget don't write updated settings to registry
-t -tray run and minimize to tray / do nothing
-S -scan start with defaults - just scan
-k -keepalive don't close after job is done
-n -nohide keep restored
-a -atype <type> address type (0-4) respectively in drop-down order
-P -porttype <port list type> same for port type
-c -cleanup <cleanup timeout> cleanup timeout (options)
-d -outdetail <outdet> output details (see drop-down mode switch)
-D -logdetail <log detail level> same for log
-T -condetail <detail level> same numbers as for log detail
-R -conformat <format> format for console output (options)
-C -console <file> console file name (default is console.log)
-s -speed <speed limit> speed limit (options)

Other engine options are taken from previous session defaults.
Single option parameter must be taken into double quotes '"' if there is a possibility that it can be misinterpreted (may be in file names)

4. Socket manipulations:

By default, scanner uses 75 sockets with 3-second update timeout, dynamic allocation and max socket amount of 500. These settings are for Win 95/98. Under NT you may user much greater numbers. The reason is that sockets are limited resource, so under Win 95/98 you may experience problems with other network software if all sockets are used. In order to resolve this problem, scanner works at the following principals: if the limit is reached, scanner decreases maximum and after some time (3 seconds by default), increases it (if dynamic allocation is on), assuming that resources may be free. If it doesn't reach a limit, it slowly increases the top to the maximum (500 by default) and stays there. Please note that if you run two concurrent scanners with dynamic allocation, the limit of one of them may fall to 1, resulting in low-speed scan (as some lame scanners). If dynamic allocation is switched off, it doesn't change the limit, so be careful with the limits - they may block other network activity - i.e. while old connections remain active you won't be able to open new connection unless you're lucky enough. Once again - it's only under 95/98. So, at last, scanner uses most of the available resources trying not to interfere with another applications. Please note that NT has very high limit that may not be reached, but keep a reasonable maximum, because 3000 sockets will exhaust CPU resource and may lock your PC down.
However, high limit will resolve freeze problem on dead networks, especially with reasonable cleanup timeout.

5. Virtual console.

In command-line mode scanner duplicates it's output in "virtual console" file. File is named as "console.log" by default. You may view it at console using the enclosed tail utility (tail.exe). Tail shows the immediate recent changes to file and may be used with NScan to work as console scanner version. Usage: tail <filename>. No, it's not ported from UNIX, it just looks like it :)