Scannerl - The Modular Distributed Fingerprinting Engine

Scannerl is a modular distributed fingerprinting engine implemented past times Kudelski Security. Scannerl tin give the axe fingerprint thousands of targets on a unmarried host, but tin give the axe precisely every bit easily last distributed across multiple hosts. Scannerl is to fingerprinting what zmap is to port scanning.

Scannerl industrial plant on Debian/Ubuntu/Arch (but volition likely locomote on other distributions every bit well). It uses a master/slave architecture where the master copy node volition distribute the locomote (host(s) to fingerprint) to its slaves (local or remote). The entire deployment is transparent to the user.

Why job Scannerl
When using conventional fingerprinting tools for large-scale analysis, safety researchers volition oftentimes hitting 2 limitations: first, these tools are typically built for scanning comparatively few hosts at a fourth dimension as well as are inappropriate for large ranges of IP addresses. Second, if large hit of IP addresses protected past times IPS devices are beingness fingerprinted, the probability of beingness blacklisted is higher what could atomic number 82 to an incomplete laid of information. Scannerl is designed to circumvent these limitations, non only past times providing the mightiness to fingerprint multiple hosts simultaneously, but also past times distributing the charge across an arbitrary divulge of hosts. Scannerl also makes the distribution of these tasks completely transparent, which makes setup as well as maintenance of large-scale fingerprinting projects trivial; this allows to focus on the analyses rather than the herculean chore of managing as well as distributing fingerprinting processes past times hand. In improver to the speed factor, scannerl has been designed to allow to easily laid upwardly specific fingerprinting analyses inward a few lines of code. Not only is the creation of a fingerprinting cluster slowly to laid up, but it tin give the axe last tweaked past times adding fine-tuned scans to your fingerprinting campaigns.
It is the fastest tool to perform large scale fingerprinting campaigns.
For more:

• Fingerprint all the things amongst scannerl at BlackAlps
• Fingerprinting MySQL amongst scannerl
• Fingerprint ICS/Scada amongst scannerl
• Distributed fingerprinting amongst scannerl
• 6 months of ICS scanning

Installation
See the dissimilar installation options nether wiki installation page
To install from source, get-go install Erlang (at to the lowest degree v.18) past times choosing the correct packaging for your platform: Erlang downloads
Install the required packages:

# on debian $ sudo apt install erlang erlang-src rebar  # on arch $ sudo pacman -S erlang-nox rebar

Then construct scannerl:

$ git clone https://github.com/kudelskisecurity/scannerl.git $ cd scannerl $ ./build.sh

Get the usage past times running

$ ./scannerl -h

Scannerl is available on aur for arch linux users

• scannerl
• scannerl-git

DEBs (Ubuntu, Debian) are available inward the releases.
RPMs (Opensuse, Centos, Redhat) are available nether https://build.opensuse.org/package/show/home:chapeaurouge/scannerl.

Distributed setup
Two types of nodes are needed to perform a distributed scan:

• Master node: this is where scannerl's binary is run
• Slave node(s): this is where scannerl volition connect to distribute all its work

The master copy node needs to accept scannerl installed as well as compiled piece the slave node(s) only needs Erlang to last installed. The entire setup is transparent as well as done automatically past times the master copy node.
Requirements for a distributed scan:

• All hosts accept the same version of Erlang installed
• All hosts are able to connect to each other using SSH world key
• All hosts' names resolve (use /etc/hosts if no proper DNS is setup)
• All hosts accept the same Erlang safety cookie
• All hosts must allow connectedness to Erlang EPMD port (TCP/4369)
• All hosts accept the next hit of ports opened: TCP/11100 to TCP/11100 + number-of-slaves

Usage

$ ./scannerl -h    ____   ____    _    _   _ _   _ _____ ____  _   / ___| / ___|  / \  | \ | | \ | | ____|  _ \| |   \___ \| |     / _ \ |  \| |  \| |  _| | |_) | |    ___) | |___ / ___ \| |\  | |\  | |___|  _ <| |___   |____/ \____/_/   \_\_| \_|_| \_|_____|_| \_\_____|  USAGE   scannerl MODULE TARGETS [NODES] [OPTIONS]    MODULE:     -m <mod> --module <mod>       mod: the fingerprinting module to use.            arguments are separated amongst a colon.    TARGETS:     -f <target> --target <target>       target: a listing of target separated past times a comma.     -F <path> --target-file <path>       path: the path of the file containing ane target per line.     -d <domain> --domain <domain>       domain: a listing of domains separated past times a comma.     -D <path> --domain-file <path>       path: the path of the file containing ane domain per line.    NODES:     -s <node> --slave <node>       node: a listing of node (hostnames non IPs) separated past times a comma.     -S <path> --slave-file <path>       path: the path of the file containing ane node per line.             a node tin give the axe also last supplied amongst a multiplier (<node>*<nb>).    OPTIONS:     -o <mod> --output <mod>     comma separated listing of output module(s) to use.     -p <port> --port <port>     the port to fingerprint.     -t <sec> --timeout <sec>    the fingerprinting procedure timeout.     -T <sec> --stimeout <sec>   slave connectedness timeout (default: 10).     -j <nb> --max-pkt <nb>      max pkt to have (int or "infinity").     -r <nb> --retry <nb>        retry counter (default: 0).     -c <cidr> --prefix <cidr>   sub-divide hit amongst prefix > cidr (default: 24).     -M <port> --message <port>  port to hear for message (default: 57005).     -P <nb> --process <nb>      max simultaneous procedure per node (default: 28232).     -Q <nb> --queue <nb>        max nb unprocessed results inward queue (default: infinity).     -C <path> --config <path>   read arguments from file, ane per line.     -O <mode> --outmode <mode>  0: on Master, 1: on slave, >1: on broker (default: 0).     -v <val> --verbose <val>    last verbose (0 <= int <= 255).     -K <opt> --socket <opt>     comma separated socket selection (key[:value]).     -l --list-modules           listing available fp/out modules.     -V --list-debug             listing available debug options.     -A --print-args             Output the args record.     -X --priv-ports             job only source port betwixt 1 as well as 1024.     -N --nosafe                 buy the farm on going fifty-fifty if precisely about slaves neglect to start.     -w --www                    DNS volition attempt for www.<domain>.     -b --progress               exhibit progress.     -x --dryrun                 dry out run.

See the wiki for more.

Standalone usage
Scannerl tin give the axe last used on the local host without whatever other host. However, it volition even as well as hence create a slave node on the same host it is run from. Therefore, the requirements described inward Distributed setup must also last met.
Influenza A virus subtype H5N1 quick agency to practise this is to brand certain your host is able to resolve itself with

grep -q "127.0.1.1\s*`hostname`" /etc/hosts || echo "127.0.1.1 `hostname`" | sudo tee -a /etc/hosts

as well as create an SSH fundamental (if non yet present) as well as add together it to the authorized_keys (you demand an SSH server running):

cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

The next instance runs an HTTP banner grabing on google.com from localhost

./scannerl -m httpbg -d google.com

Distributed usage
In social club to perform a distributed scan, ane demand to pre-setup the hosts that volition last used past times scannerl to distribute the work. See Distributed setup for to a greater extent than information.
Scannerl expects a listing of slaves to job (provided past times the -s or -S switches).

./scannerl -m httpbg -d google.com -s host1,host2,host3

List available modules
Scannerl volition listing the available modules (output modules every bit good every bit fingerprinting modules) amongst the -l switch:

$ ./scannerl -l  Fingerprinting modules available ================================  bacnet             UDP/47808: Bacnet identification chargen            UDP/19: Chargen amplification cistron identification play a trick on                TCP/1911: FOX identification httpbg             TCP/80: HTTP Server header identification                      - Arg1: [true|false] follow redirection [Default:false] httpsbg            SSL/443: HTTPS Server header identification https_certif       SSL/443: HTTPS certificate graber imap_certif        TCP/143: IMAP STARTTLS certificate graber modbus             TCP/502: Modbus identification mqtt               TCP/1883: MQTT identification mqtts              TCP/8883: MQTT over SSL identification mysql_greeting     TCP/3306: Mysql version identification pop3_certif        TCP/110: POP3 STARTTLS certificate graber smtp_certif        TCP/25: SMTP STARTTLS certificate graber ssh_host_key       TCP/22: SSH host fundamental graber  Output modules available ========================  csv                output to csv                      - Arg1: [true|false] salvage everything [Default:true] csvfile            output to csv file                      - Arg1: [true|false] salvage everything [Default:false]                      - Arg2: File path file               output to file                      - Arg1: File path file_ip            output to stdout (only ip)                      - Arg1: File path file_mini          output to file (only ip as well as result)                      - Arg1: File path file_resultonly    output to file (only result)                      - Arg1: File path stdout             output to stdout stdout_ip          output to stdout (only IP) stdout_mini        output to stdout (only ip as well as result)

Modules arguments
Arguments tin give the axe last provided to modules amongst a colon. For instance for the file output module:

./scannerl -m httpbg -d google.com -o file:/tmp/result

Result format
The lawsuit returned past times scannerl to the output modules has the next form:

{module, target, port, result}

Where

• module: the module used (Erlang atom)
• target: IP or hostname (string or IPv4 address)
• port: the port (integer)
• result: run into below

The result purpose is of the form:

{{status, type},Value}

Where {status, type} is ane of the next tuples:

• {ok, result}: fingerprinting the target succeeded
• {error, up}: fingerprinting didn't succeed but the target responded
• {error, unknown}: fingerprinting failed

Value is the returned value - it is either an atom or a listing of element

Extending Scannerl
Scannerl has been designed as well as implemented amongst modularity inward mind. It is slowly to add together novel modules to it:

• Fingerprinting module: to inquiry a specific protocol or service. As an example, the fp_httpbg.erl module allows to recall the server entry inward the HTTP response.
• Output module: to output to a specific database/filesystem or output the lawsuit inward a specific format. For example, the out_file.erl as well as out_stdout.erl modules allow respectively to output to a file or to stdout (default behaviour if non specified).

To create novel modules, but follow the behaviour (fp_module.erl for fingerprinting modules as well as out_behavior.erl for output module) as well as implement your modules.
New modules tin give the axe either last added at compile fourth dimension or dynamically every bit an external file.
See the wiki page for more.

Download Scannerl