Skip to main content
← Back [ESC]
Unicornscan Banner

About Unicornscan

“You supply the stimulus. We supply the delivery mechanism.”

You finished the port scan. Now what? You've got a text file. Maybe XML if you planned ahead. You grep through it, paste results into a spreadsheet, diff it manually next week. You miss the new SSH server on a subnet you forgot to include. This is how most asset discovery engagements actually go.

Unicornscan replaces that workflow. Run a scan with -epgsqldb and results land in PostgreSQL automatically — banners parsed, GeoIP enriched, OS fingerprinted, MAC-to-IP mappings tracked across time. The Alicorn web interface lets you search by port, ASN, CIDR, MAC prefix, or regex. Compare scans side by side to see exactly what changed. Export to CSV, JSON, or PDF when the client asks. Your scan data becomes a living database you query for months, not a flat file you lose in a project folder.

One command — sudo unicornscan-alicorn start — spins up the full pipeline. No containers. No twelve-step install. No vendor lock-in. No rate limits. This is your own Shodan, running on your hardware.

Here is what the modern stack looks like.

What It Does

Unicornscan is four components that work together — or independently.

The Scanner

  • Scatter Connect Architecture — Three independent processes (Master, Sender, Listener) communicate via IPC. The sender never waits on the listener. Each does one job with zero coupling.
  • Userspace TCP/IP stack — Probes bypass the kernel entirely. No socket overhead, no file descriptors, no kernel state per packet.
  • TCPHASHTRACK — Target state encoded directly into TCP sequence numbers. When a response arrives, the listener reverses the hash to identify the probe. No state tables. Truly stateless.
  • Compound scan modes -mA+T+sf chains ARP discovery, SYN scan, and connect-back service fingerprinting in a single pass. Each phase feeds the next.
  • Tens of thousands of packets per second — Commodity hardware. Raw throughput limited by your wire, not the scanner.

The Database

  • Full PostgreSQL schema -epgsqldb auto-creates a 25-table, 24-view schema. Drop it on any PostgreSQL instance and start recording.
  • Per-result processing pipeline — Every response triggers: insert result, upsert host, parse banner, extract OS fingerprint, resolve GeoIP, track MAC-to-IP history. No post-processing scripts.
  • Banner parsing — HTTP, SSH, FTP, SMTP, MySQL headers extracted into structured fields, plus 40+ port-based service identifications.
  • GeoIP with three providers — MaxMind, IP2Location, IPinfo. Stores country, ASN, IP type (residential, datacenter, VPN, Tor, proxy) per result at scan time.
  • Shodan-style queryability — Pre-built views for querying by port, service, OS, country, ASN, CIDR, MAC vendor.

The Web Interface

  • Dashboard at a glance — Scans, hosts, ports, protocols summarized on load. No clicks required.
  • Smart search — Auto-detects port numbers, ASN handles, CIDR notation, MAC prefixes, regex, and free text.
  • Four-mode scan comparison — Side-by-side, timeline, unified diff, and matrix heatmap.
  • D3 network topology — Interactive graph with OS-colored nodes and traceroute edges.
  • GeoIP maps — Geographic plot with country and ASN aggregation.
  • Export everything — CSV, JSON, Markdown, PDF, ZIP.

The Fleet

  • Master/drone coordination — Distribute work units to remote drones via -Z host:port. Scale horizontally by adding nodes.
  • fantaip phantom ARP IP claimer — Virtual source IPs via gratuitous ARP. Drones scan from clean IPs, isolated from all non-scan traffic.
  • Shared PostgreSQL convergence — All fleet nodes write to the same database. Results merge automatically.
  • Compound modes across the fleet — ARP discovery on one node feeds SYN scanning on another. The pipeline spans the cluster.

None of this started as a product. It started as a favor, in a garage, for a client who needed UDP coverage across their external infrastructure.

How It Got Here

In 2003, Robert E. Lee founded Dyad Security and met Jack C. Louis — probably the smartest, most talented, and modest security researcher he'd ever encounter.

A Dyad client needed UDP scanning across their external infrastructure. Jack and Robert built a solution in Robert's garage: send valid UDP handshake payloads through firewalls and record what responds. That became udpscan.

Then came a contract covering 192,000+ hosts. Existing tools couldn't handle it. Jack expanded udpscan to support TCP, built the userspace stack, and invented TCPHASHTRACK. When Robert suggested a rename, Jack was using the IRC vanity domain “unicornsarebadassandyouknowit.”

Robert joked: “How about unicornscan?”

Jack changed the repo folder that day.

Jack and Robert presented unicornscan at DEF CON 13 in 2005. Four years later, Jack was gone.

The Revival

Jack C. Louis died in 2009. He was 32.

The tool was retired alongside him. Fifteen years passed. Compilers evolved. Linux changed. Dependencies were renamed or abandoned.

In December 2025 — three weeks before what would have been Jack's 49th birthday — Robert modernized unicornscan for contemporary systems. He patched the build for modern GCC and glibc, updated the autotools chain, and packaged it for six Linux distributions. Then he kept going: he rebuilt the pgsqldb output module for structured PostgreSQL storage, created Alicorn as a web interface for visualizing scan data, and launched unicornscan.org as a training platform.

A birthday tribute, with features Jack would have appreciated.

The best way to understand unicornscan is to use it.

Try It

Try scanning your IP address — right in your browser, no install required. The training environment runs a real scan against your connection and returns actual results through the training environment.

↑↓ to navigate, Enter to select, or press 1-3