Scanrand is a proof of concept, investigating stateless manipulation of the TCP Finite State Machine. It implements extremely fast and efficient port, host, and network trace scanning, and does so with two completely separate and disconnected processes — one that sends queries, the other that receives responses and reconstructs the original message from the returned content. Security is maintained, in the sense that false results are difficult to forge, by embeddeding a cryptographic signature in the outgoing requests which must be detected in any received response. HMAC-SHA1, truncated to 32 bits, is used for this “Inverse SYN Cookie”.
Scanrand implements numerous options; reasonable defaults are selected when no specific guidance is received from the user. The only thing mandated is a target destination, which may be specified using either a FQDN(Fully Qualified Domain Name) or a numeric specification. These numerics may employ any number of dashes, commas, or combination thereof at the same time. For example, scanrand 10.0.1-255.1-10,20:80,137-139 works fine. More ports will be scanned by default when scanning a single host than when scanning a network. Scanrand is able to estimate remote hopcount by examining incoming TTLs.
You can start scanning a host with this command: scanrand -v -b10M -d eth1 hostname