Eli Fulkerson .com HomeProjectsHardscan

Hardscan - A brute-force local netstat replacement


Hardscan is a local netstat replacement that scans for open ports the hard way: by binding to each of them and attempting to handshake with itself. It is meant to be useful in a situation where you may have been rooted, rendering the output of netstat and other security tools untrustworthy.

If the program is unable to handshake with itself, for whatever reason (perhaps something intercepted the handshake, perhaps something was already running on that port, etc) it is an indicator that tcp or udp port being checked is already in use. Although this could be a virus, trojan or hacker connection, it is also quite possible that it is a legitimate connection. As the "Ephemeral" high-numbered ports are scanned as well, there is a chance that any outgoing activity (for instance browsing the web while the scan is running) will be picked up.

Of particular note in this program is "--fast" mode. In this state, the scanner does not attempt to handshake with itself, and thusly is not detecting as rigorously. In theory the OS could be lying to the scanner and simply saying that the socket was opened succesfully, but in practice most trojans are not going to be that sophisticated. Fast mode trades off this verification in order to run much, much, much faster.


  • no platform specific code, should work anywhere that has Python 2.3 or better. (2.3 is required for the use of socket.settimeout() ) It has been tested both on Linux (Debian Sarge) and Windows XP Service Pack 2
  • Depending on your OS, it may be necessary to run the program as a priviledged user to open the proper ports.
  • This is a command-line *nix style tool. You are expected to be OK with that.
  • Language:

  • Python
  • License:

  • This script is offered under the GPL. Contact me if you need it licensed differently.
  • Download:

  • hardscan-gpl.py.txt - source code, under GPL
  • hardscan.pyc - compiled python file. Requires Python 2.3 to be available.
  • hardscan.tar.gz - compiled python file as a tar.gz for those of you that like that.
  • hardscan.zip - standalone windows console application
  • Links

  • Some comments (on slashdot) regarding this utility. - Some weaknesses are pointed out, but most of them are mitigated with a good firewall policy.
  • Usage:

    Usage: hardscan [OPTION]
    Scan the local machine for any open ports without trusting the accuracy of
    'netstat' or similar tools.
      -f, --fast             Don't do the full validation, just try to open
                             a listening socket on each port.
                             (default is Off)
      -h, --help             Display this documentation.
      -i, --interval         Display a progress update every specified interval.
                             (default is 100)
                             Example Usage:
                             -i 500
      -l, --length           Specify the length of key to exchange during
                             (default is 4)
                             Example Usage:
                             -l 5
      -m, --max-threads      Specify the max number of client/server pairs to use.
                             Note that the real number of threads the program uses
                             will be something along the lines of (max-threads*3)+1
                             due to the subthreading involved.
                             Example Usage:
                             --max-threads 10
                             -m 10
      -p, --port             Specify the ports to check.
                             Example Usage:
                             --port 1-1024
                             -p 1-500,400,500,1000-2000
      -s, --sockettype       Specify "tcp" or "udp"
                             Example Usage:
                             --sockettype tcp
                             -s udp
      -t, --timeout          Specify how long server threads should wait for their
                             (default is 5 seconds)
                             Example Usage:
                             --timeout 10
      -v, --verbose          Show verbose output.  This will show, for instance,
                             every port discovered as it happens.
                             (default is Off)
      -w, --very-verbose     Show very verbose output.  You almost certainly don't
                             want to use this option.
                             (default is Off)
    Hardscan operates on the premise that your system has been compromised, and
    netstat and any other kernel reporting tools can not be trusted.  Rather than
    trusting what the OS reports, it manually attempts to open every port that you
    specify (by default every tcp port on the system) and pass data to itself.  If
    this communication succeeds, it is assumed that the port was not in use.
    This differs from 'netstat', which only reports what the OS thinks is happening.
    It also differs from 'nmap', in that it is capable of servers or outgoing
    connections even if they are configured to lurk in stealth mode.
    As outgoing TCP connections use ephemeral ports, it is quite likely that you
    are going to get false positives based on whatever it is the machine is doing.
    These can be verified against netstat or the like to determine if they are
    legitimate. This has the side benefit of identifying outgoing connections even
    if they are not in a 'listening' mode.