Scannerl - The Modular Distributed Fingerprinting Engine
Scannerl is a modular distributed fingerprinting engine implemented past times Kudelski Security. Scannerl tin give the axe fingerprint thousands of targets on a unmarried host, but tin give the axe precisely every bit easily last distributed across multiple hosts. Scannerl is to fingerprinting what zmap is to port scanning.
Scannerl industrial plant on Debian/Ubuntu/Arch (but volition likely locomote on other distributions every bit well). It uses a master/slave architecture where the master copy node volition distribute the locomote (host(s) to fingerprint) to its slaves (local or remote). The entire deployment is transparent to the user.
Why job Scannerl
When using conventional fingerprinting tools for large-scale analysis, safety researchers volition oftentimes hitting 2 limitations: first, these tools are typically built for scanning comparatively few hosts at a fourth dimension as well as are inappropriate for large ranges of IP addresses. Second, if large hit of IP addresses protected past times IPS devices are beingness fingerprinted, the probability of beingness blacklisted is higher what could atomic number 82 to an incomplete laid of information. Scannerl is designed to circumvent these limitations, non only past times providing the mightiness to fingerprint multiple hosts simultaneously, but also past times distributing the charge across an arbitrary divulge of hosts. Scannerl also makes the distribution of these tasks completely transparent, which makes setup as well as maintenance of large-scale fingerprinting projects trivial; this allows to focus on the analyses rather than the herculean chore of managing as well as distributing fingerprinting processes past times hand. In improver to the speed factor, scannerl has been designed to allow to easily laid upwardly specific fingerprinting analyses inward a few lines of code. Not only is the creation of a fingerprinting cluster slowly to laid up, but it tin give the axe last tweaked past times adding fine-tuned scans to your fingerprinting campaigns.
It is the fastest tool to perform large scale fingerprinting campaigns.
For more:
- Fingerprint all the things amongst scannerl at BlackAlps
- Fingerprinting MySQL amongst scannerl
- Fingerprint ICS/Scada amongst scannerl
- Distributed fingerprinting amongst scannerl
- 6 months of ICS scanning
Installation
See the dissimilar installation options nether wiki installation page
To install from source, get-go install Erlang (at to the lowest degree v.18) past times choosing the correct packaging for your platform: Erlang downloads
Install the required packages:
# on debian $ sudo apt install erlang erlang-src rebar # on arch $ sudo pacman -S erlang-nox rebar
$ git clone https://github.com/kudelskisecurity/scannerl.git $ cd scannerl $ ./build.sh
$ ./scannerl -h
DEBs (Ubuntu, Debian) are available inward the releases.
RPMs (Opensuse, Centos, Redhat) are available nether https://build.opensuse.org/package/show/home:chapeaurouge/scannerl.
Distributed setup
Two types of nodes are needed to perform a distributed scan:
- Master node: this is where scannerl's binary is run
- Slave node(s): this is where scannerl volition connect to distribute all its work
Requirements for a distributed scan:
- All hosts accept the same version of Erlang installed
- All hosts are able to connect to each other using SSH world key
- All hosts' names resolve (use /etc/hosts if no proper DNS is setup)
- All hosts accept the same Erlang safety cookie
- All hosts must allow connectedness to Erlang EPMD port (TCP/4369)
- All hosts accept the next hit of ports opened: TCP/11100 to TCP/11100 + number-of-slaves
Usage
$ ./scannerl -h ____ ____ _ _ _ _ _ _____ ____ _ / ___| / ___| / \ | \ | | \ | | ____| _ \| | \___ \| | / _ \ | \| | \| | _| | |_) | | ___) | |___ / ___ \| |\ | |\ | |___| _ <| |___ |____/ \____/_/ \_\_| \_|_| \_|_____|_| \_\_____| USAGE scannerl MODULE TARGETS [NODES] [OPTIONS] MODULE: -m <mod> --module <mod> mod: the fingerprinting module to use. arguments are separated amongst a colon. TARGETS: -f <target> --target <target> target: a listing of target separated past times a comma. -F <path> --target-file <path> path: the path of the file containing ane target per line. -d <domain> --domain <domain> domain: a listing of domains separated past times a comma. -D <path> --domain-file <path> path: the path of the file containing ane domain per line. NODES: -s <node> --slave <node> node: a listing of node (hostnames non IPs) separated past times a comma. -S <path> --slave-file <path> path: the path of the file containing ane node per line. a node tin give the axe also last supplied amongst a multiplier (<node>*<nb>). OPTIONS: -o <mod> --output <mod> comma separated listing of output module(s) to use. -p <port> --port <port> the port to fingerprint. -t <sec> --timeout <sec> the fingerprinting procedure timeout. -T <sec> --stimeout <sec> slave connectedness timeout (default: 10). -j <nb> --max-pkt <nb> max pkt to have (int or "infinity"). -r <nb> --retry <nb> retry counter (default: 0). -c <cidr> --prefix <cidr> sub-divide hit amongst prefix > cidr (default: 24). -M <port> --message <port> port to hear for message (default: 57005). -P <nb> --process <nb> max simultaneous procedure per node (default: 28232). -Q <nb> --queue <nb> max nb unprocessed results inward queue (default: infinity). -C <path> --config <path> read arguments from file, ane per line. -O <mode> --outmode <mode> 0: on Master, 1: on slave, >1: on broker (default: 0). -v <val> --verbose <val> last verbose (0 <= int <= 255). -K <opt> --socket <opt> comma separated socket selection (key[:value]). -l --list-modules listing available fp/out modules. -V --list-debug listing available debug options. -A --print-args Output the args record. -X --priv-ports job only source port betwixt 1 as well as 1024. -N --nosafe buy the farm on going fifty-fifty if precisely about slaves neglect to start. -w --www DNS volition attempt for www.<domain>. -b --progress exhibit progress. -x --dryrun dry out run.
See the wiki for more.Standalone usage
Scannerl tin give the axe last used on the local host without whatever other host. However, it volition even as well as hence create a slave node on the same host it is run from. Therefore, the requirements described inward Distributed setup must also last met.
Influenza A virus subtype H5N1 quick agency to practise this is to brand certain your host is able to resolve itself with
grep -q "127.0.1.1\s*`hostname`" /etc/hosts || echo "127.0.1.1 `hostname`" | sudo tee -a /etc/hosts
authorized_keys
(you demand an SSH server running):cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys
./scannerl -m httpbg -d google.com
Distributed usage
In social club to perform a distributed scan, ane demand to pre-setup the hosts that volition last used past times scannerl to distribute the work. See Distributed setup for to a greater extent than information.
Scannerl expects a listing of slaves to job (provided past times the -s or -S switches).
./scannerl -m httpbg -d google.com -s host1,host2,host3
List available modules
Scannerl volition listing the available modules (output modules every bit good every bit fingerprinting modules) amongst the -l switch:
$ ./scannerl -l Fingerprinting modules available ================================ bacnet UDP/47808: Bacnet identification chargen UDP/19: Chargen amplification cistron identification play a trick on TCP/1911: FOX identification httpbg TCP/80: HTTP Server header identification - Arg1: [true|false] follow redirection [Default:false] httpsbg SSL/443: HTTPS Server header identification https_certif SSL/443: HTTPS certificate graber imap_certif TCP/143: IMAP STARTTLS certificate graber modbus TCP/502: Modbus identification mqtt TCP/1883: MQTT identification mqtts TCP/8883: MQTT over SSL identification mysql_greeting TCP/3306: Mysql version identification pop3_certif TCP/110: POP3 STARTTLS certificate graber smtp_certif TCP/25: SMTP STARTTLS certificate graber ssh_host_key TCP/22: SSH host fundamental graber Output modules available ======================== csv output to csv - Arg1: [true|false] salvage everything [Default:true] csvfile output to csv file - Arg1: [true|false] salvage everything [Default:false] - Arg2: File path file output to file - Arg1: File path file_ip output to stdout (only ip) - Arg1: File path file_mini output to file (only ip as well as result) - Arg1: File path file_resultonly output to file (only result) - Arg1: File path stdout output to stdout stdout_ip output to stdout (only IP) stdout_mini output to stdout (only ip as well as result)
Modules arguments
Arguments tin give the axe last provided to modules amongst a colon. For instance for the file output module:
./scannerl -m httpbg -d google.com -o file:/tmp/result
Result format
The lawsuit returned past times scannerl to the output modules has the next form:
{module, target, port, result}
Wheremodule
: the module used (Erlang atom)target
: IP or hostname (string or IPv4 address)port
: the port (integer)result
: run into below
result
purpose is of the form:{{status, type},Value}
Where {status, type}
is ane of the next tuples:{ok, result}
: fingerprinting the target succeeded{error, up}
: fingerprinting didn't succeed but the target responded{error, unknown}
: fingerprinting failed
Value
is the returned value - it is either an atom or a listing of elementExtending Scannerl
Scannerl has been designed as well as implemented amongst modularity inward mind. It is slowly to add together novel modules to it:
- Fingerprinting module: to inquiry a specific protocol or service. As an example, the fp_httpbg.erl module allows to recall the server entry inward the HTTP response.
- Output module: to output to a specific database/filesystem or output the lawsuit inward a specific format. For example, the out_file.erl as well as out_stdout.erl modules allow respectively to output to a file or to stdout (default behaviour if non specified).
New modules tin give the axe either last added at compile fourth dimension or dynamically every bit an external file.
See the wiki page for more.