Colitas Network Scanner

Colitas is designed to be a very fast stateless network scanner. It can scan any IPv4 and port range. It uses SYN or PING packets for it's scanning purposes. Current version is 0.69.

Root privileges are needed to use colitas due to raw sockets which are necessary to create SYN packets. Colitas is very fast. This is achieved by stateless scanning. This means that we send packets and forget about them. Then we listen for incoming SYN/ACK or SYN/RST packets. Based on sequence acknowledgment numbers we find replies to our probes and from these packets we determine ip and port numbers of scanned hosts.

Colitas does not and most likely will not provide support for IPv6. The reason is pretty simple. The address space in IPv6 has been greatly expanded in comparison to IPv4, and is so large that sequencial scanning of the address space makes no sens as the number of hosts possible in *one* IPv6 subnet is equal to the theoretical maximum number of IPv4 address squared. It is clear that one can scan only address of the form <subnet prefix>::xxxx:xxfe:ffxx:xxxx on a given network, but this still leaves a huge amount of address to check.

Because sequencial scanning on IPv6 is no longer a viable option, I believe that future network worms that will spread using IPv6, will take increased usage of server log files on compromised hosts to identify new targets. Scanning an access logfile of a Apache server can provide one with a list of potential hosts to check. Automated host attacks will become harder once IPv6 becomes widespread because hosts can use a mechanism known as privacy extensions for their automatic address generation. After receiving a network prefix from a on-link router, an IPv6 can randomly generate the host portion of the address. Next the host performs a Duplicated Address Detection (DAD), and if no other host with the same address is found proceides to use the address for global communication. The address space offered by IPv6 is so large that the likeliness of address duplication of randomly generated addresses on a link is very slim.

Current stable version is 0.69

• download current stable version colitas-0.69.tar.gz

md5sum: abb4999d8d31876c603658d871522276  colitas-0.69.tar.gz

• colitas-0.68.tar.gz
• colitas-0.67.tar.gz
• colitas-0.66.tar.gz
• colitas-0.65.tar.gz
• colitas-0.54.tar.gz

md5sum: 4174ef882405e8db73b256dd908c945d  colitas-0.68.tar.gz
md5sum: 432d28a8fe6fdb0e6a601a203117eeec  colitas-0.67.tar.gz
md5sum: 946433ecaf5ac6f839cf73264bbabc61  colitas-0.66.tar.gz
md5sum: c36c06d748ce729147b363d7bfb0c9cf  colitas-0.65.tar.gz
md5sum: 3da42c500b4e1df0bdfa727ce124c583  colitas-0.54.tar.gz

Usage

usage: colitas start_ip:end_ip [start_port:end_port] [options]

examples:

	$ colitas 214.44.5.0:214.44.255.255 25,110
	$ colitas 14.4.25.45 1:1024
	$ colitas 150.80.0.0-150.255.255.255 21-25,67,53,110,80

options:
  -f most common ports ( this is the default )

	ports:

	7,11,19,21,22,23,25,42,43,53,66,79,80,81,88,109,
	110,111,118,119,135,139,143,179,256,389,396,407,443,513,514,515,
    524,799,1024,1080,1313,1352,1433,1494,1498,1524,1525,1527,1723,
    1745,2000,2001,2447,2998,3000,3300,3306,4001,4045,5631,5800,6000,
    6001,6666,6667,6668,6669,8000,8001,8002,8080,9001,12345,26000,
    32771,43188,65301

  -a all important ports

	ports:

	1,2,3,5,7,9,11,13,17,18,19,20,21,22,23,24,25,27,29,31,
	33,35,37,38,39,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,
	59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,
	82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,
	103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,
	120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,
	137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,
	154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,
	171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,
	188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,
	205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,
	222,223,242,243,244,245,246,256,257,258,259,260,261,262,263,280,281,
	282,309,344,345,346,347,348,349,350,351,371,372,373,374,375,376,377,
	378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,
	395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,
	412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,
	429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,
	446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,
	463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,
	480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,
	497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,
	514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,
	531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,
	548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,
	606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,633,634,
	635,636,637,666,667,668,669,670,671,672,673,674,704,705,709,710,729,
	730,731,741,742,744,747,748,749,750,751,752,753,754,758,759,760,761,
	762,763,764,765,767,769,770,771,772,773,774,775,776,780,786,800,801,
	886,887,888,911,991,995,996,997,998,999,1000,1001,1023,1024,1025,
	1027,1030,1031,1032,1047,1048,1058,1059,1067,1068,1080,1083,1084,
	1089,1110,1123,1155,1212,1222,1248,1313,1314,1345,1346,1347,1348,
	1349,1350,1351,1352,1353,1354,1355,1356,1357,1358,1359,1360,1361,
	1362,1363,1364,1365,1366,1367,1368,1369,1370,1371,1372,1373,1374,
	1375,1376,1377,1378,1379,1380,1381,1382,1383,1384,1385,1386,1387,
	1388,1389,1390,1391,1392,1393,1394,1395,1396,1397,1398,1399,1400,
	1401,1402,1403,1404,1405,1406,1407,1408,1409,1410,1411,1412,1413,
	1414,1415,1416,1417,1418,1419,1420,1421,1422,1423,1424,1425,1426,
	1427,1428,1429,1430,1431,1432,1433,1434,1435,1436,1437,1438,1439,
	1440,1441,1442,1443,1444,1445,1446,1447,1448,1449,1450,1451,1452,
	1453,1454,1455,1456,1457,1458,1459,1460,1461,1462,1463,1464,1465,
	1466,1467,1468,1469,1470,1471,1472,1473,1474,1475,1476,1477,1478,
	1479,1480,1481,1482,1483,1484,1485,1486,1487,1488,1489,1490,1491,
	1492,1493,1494,1495,1496,1497,1498,1499,1500,1501,1502,1503,1504,
	1505,1506,1507,1508,1509,1510,1511,1512,1513,1514,1515,1516,1517,
	1518,1519,1520,1521,1522,1523,1524,1525,1526,1527,1528,1529,1530,
	1531,1532,1533,1534,1535,1536,1537,1538,1539,1540,1541,1542,1543,
	1544,1545,1546,1547,1548,1549,1550,1551,1552,1553,1554,1555,1556,
	1557,1558,1559,1560,1561,1562,1563,1564,1565,1566,1567,1568,1569,
	1570,1571,1572,1573,1574,1575,1576,1577,1578,1579,1580,1581,1582,
	1583,1584,1585,1586,1587,1588,1589,1590,1591,1592,1593,1594,1595,
	1596,1597,1598,1599,1600,1601,1602,1603,1604,1605,1606,1607,1608,
	1609,1610,1611,1612,1613,1614,1615,1616,1617,1618,1619,1620,1621,
	1622,1623,1624,1625,1636,1637,1638,1639,1640,1641,1642,1643,1644,
	1645,1646,1647,1648,1649,1650,1651,1652,1653,1654,1655,1656,1657,
	1658,1659,1660,1661,1662,1663,1664,1665,1666,1667,1668,1669,1670,
	1671,1672,1673,1674,1675,1676,1677,1678,1679,1680,1681,1682,1683,
	1684,1685,1686,1687,1688,1689,1690,1691,1692,1693,1694,1695,1696,
	1697,1698,1699,1700,1701,1702,1703,1704,1705,1706,1707,1708,1709,
	1710,1711,1712,1713,1714,1715,1716,1717,1718,1719,1720,1721,1722,
	1723,1724,1725,1726,1727,1728,1729,1730,1731,1732,1733,1734,1735,
	1736,1737,1738,1739,1740,1741,1742,1743,1744,1745,1746,1747,1748,
	1749,1750,1751,1752,1753,1754,1755,1756,1757,1758,1759,1760,1761,
	1762,1763,1764,1765,1766,1767,1768,1769,1770,1771,1772,1773,1774,
	1776,1777,1778,1779,1780,1781,1782,1783,1784,1785,1786,1787,1788,
	1789,1790,1791,1792,1793,1794,1795,1796,1797,1798,1799,1800,1801,
	1802,1803,1804,1805,1806,1807,1808,1809,1810,1811,1812,1813,1814,
	1815,1818,1819,1820,1821,1822,1823,1824,1901,1902,1903,1904,1905,
	1906,1907,1908,1909,1911,1912,1913,1914,1915,1916,1917,1918,1919,
	1920,1944,1945,1946,1947,1948,1949,1950,1951,1973,1985,1986,1987,
	1988,1989,1990,1991,1992,1993,1994,1995,1996,1997,1998,1999,2000,
	2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,
	2015,2016,2017,2018,2019,2020,2021,2022,2023,2024,2025,2026,2027,
	2028,2030,2032,2033,2034,2035,2038,2040,2041,2042,2043,2044,2045,
	2046,2047,2048,2049,2065,2067,2102,2103,2104,2105,2201,2202,2213,
	2221,2222,2223,2232,2233,2234,2235,2236,2237,2238,2239,2241,2279,
	2280,2281,2282,2283,2284,2285,2286,2287,2288,2301,2307,2401,2500,
	2501,2564,2583,2592,2700,2784,2785,2786,2787,2788,2789,2801,2908,
	2909,2910,2911,2912,3000,3001,3002,3010,3011,3047,3048,3049,3128,
	3141,3142,3143,3144,3145,3264,3333,3421,3454,3455,3456,3457,3883,
	3900,3984,3985,3986,4008,4009,4132,4133,4134,4321,4343,4444,4445,
	4446,4447,4448,4449,4450,4451,4452,4453,4454,4500,4501,4672,5000,
	5001,5002,5003,5004,5005,5010,5011,5020,5021,5050,5145,5150,5190,
	5191,5192,5193,5236,5300,5301,5302,5303,5304,5305,5400,5401,5555,
	5631,5632,5678,5679,5713,5714,5715,5716,5717,5729,5742,5745,5755,
	5757,5766,5767,5800,5900,6000,6110,6111,6112,6123,6141,6142,6143,
	6144,6145,6146,6147,6148,6149,6253,6389,6455,6456,6558,6588,6670,
	6672,6673,6831,6969,7000,7001,7002,7003,7004,7005,7006,7007,7008,
	7009,7010,7099,7100,7121,7174,7200,7201,7395,7491,7511,7777,7781,
	7999,8000,8010,8032,8080,8450,8888,8889,8890,8891,8892,8893,8894,
	9000,9100,9535,9876,9992,9993,9994,9995,9996,9997,9998,9999,10000,
	11000,12345,12753,13223,17007,18000,20001,20024,21554,21845,21846,
	21847,21848,21849,22273,22347,22555,22800,22951,23456,25000,25001,
	25002,25003,25004,25005,25006,25007,25008,25009,25793,25867,26000,
	26208,30303,47557,47806,47808,54320,65000

  -r raw output in the form: ip port

	makes colitas output results in a very simple form
	example: 213.180.120.102 25
	
  -o PING scan (default: SYN scan)
  
  	by default Colitas uses SYN packets for it's scanning purposes. If you
	simply need to find all hosts responing to ICMP echo requests use PING
	scanning

  -n don't resolve hostnames

  	by default colitas resolves hostnames of found ips
	use this option if you don't need this feature

  -e show negative replies

	by default only positive responses will be shown ( SYN/ACK ),
	if you also want to see the negative ones use this

  -E show only negative replies

	will make colitas show only negative responses

  -p scan all ports on single host then move to next host
     by default all hosts are scanned then the next port is checked

	default scanning order:

[root@localhost ~]# colitas 213.180.1.1-213.180.255.255 21,22,23,25,53

		213.180.1.1 21
		213.180.1.2 21
		213.180.1.3 21
		213.180.1.4 21
		213.180.1.5 21
		213.180.1.6 21
		213.180.1.7 21
		213.180.1.8 21
		213.180.1.9 21
		213.180.1.10 21
		213.180.1.11 21
		213.180.1.12 21
		213.180.1.13 21
		213.180.1.14 21
		213.180.1.15 21
		213.180.1.16 21
		213.180.1.17 21

	with -p:

[root@localhost ~]# colitas 213.180.1.1-213.180.255.255 21,22,23,25,53 -p

		213.180.1.1 21
		213.180.1.1 22
		213.180.1.1 23
		213.180.1.1 25
		213.180.1.1 53
		213.180.1.2 21
		213.180.1.2 22
		213.180.1.2 23
		213.180.1.2 25
		213.180.1.2 53

  -s seconds to wait after sending last packet, by default 3

	due to the nature of colitas we should wait a given number of seconds
	after sending out the last probe, by default this value is 3 which
	is sufficient for most networks

  -t delay between scanning packets in microseconds, by default 5

Speed

We keep no record ('state') of the scan progress, we just send our probes and check for replies. This makes colitas the fastes scanner on the planet. Some speed statistics generated on a ADSL with 512kb down stream 128 up stream bandwith. Scanning from a host with a 10 Mb/s connection I reached 996 ports/s.

***Test 1***

A search for smtp servers in a B class network:

[root@localhost ~]# colitas 150.180.1.1-150.180.255.255 25
scanning 65025 hosts and 1 ports on each host ( total of 65025 ports )
this can take up to approx. 1661 seconds ( 0.461427 hours )

*[cut]*

scanning completed in 654 seconds

That's over 99 ports per second. Is that fast or what ?

***Test 2***

Checking some basic services on a C class network:

[root@localhost ~]# colitas 192.168.1.1-192.168.1.255 -p
scanning 255 hosts and 73 ports on each host (total of 18615 ports)
this can take up to approx. 514 seconds (0.143031 hours)
[open] 192.168.1.1      80
[open] 192.168.1.1      8080
[open] 192.168.1.2      80
[open] 192.168.1.2      443
[open] 192.168.1.2      3306
[open] 192.168.1.104    80
[open] 192.168.1.104    443
[open] 192.168.1.104    3306
scanning completed in 22 seconds

That's almost 846 ports per second. Pretty fast.

Help

[sd@localhost ~]$ colitas
colitas network scanner v0.68
(c) 2004,2005 by Lukasz Tomicki 
 usage: colitas start_ip:end_ip [start_port:end_port] [options]
 options:
  -f most common ports (this is the default)
  -o PING scan (default: SYN scan)
  -a all important ports
  -r raw output in the form: ip port
  -n don't resolve hostnames
  -e/-E show negative replies/show only negative replies
  -p scan all ports on single host then move to next host
     by default all hosts are scanned then the next port is checked
  -s seconds to wait after sending last packet, by default 3
  -t delay between scanning packets in microseconds, by default 25

License

Colitas is distributed on the terms of the GNU GENERAL PUBLIC LICENSE.

Disclaimer

This program was written only for educational purposes. Reading other people's code is one of the best ways to learn programming. This is especially true when learning advanced topics like low level programing. ABSOLUTELY NO WARRANTY is provided. I am not responsible for any harm the use of this tool may bring.