Scannerl is a modular distributed fingerprinting engine implemented by Kudelski Security. It can fingerprint thousands of targets on a single host, but can just as easily be distributed across multiple hosts. It is to fingerprinting what zmap is to port scanning.
Scannerl works on Debian/Ubuntu/Arch (but will probably work on other distributions as well). It uses a master/slave architecture where the master node will distribute the work (host(s) to fingerprint) to its slaves (local or remote). The entire deployment is transparent to the user.
When using conventional fingerprinting tools for large-scale analysis, security researchers will often hit two limitations: first, these tools are typically built for scanning comparatively few hosts at a time and are inappropriate for large ranges of IP addresses.
Second, if large range of IP addresses protected by IPS devices are being fingerprinted, the probability of being blacklisted is higher what could lead to an incomplete set of information.
It is designed to circumvent these limitations, not only by providing the ability to fingerprint multiple hosts simultaneously, but also by distributing the load across an arbitrary number of hosts.
It also makes the distribution of these tasks completely transparent, which makes setup and maintenance of large-scale fingerprinting projects trivial; this allows to focus on the analyses rather than the herculean task of managing and distributing fingerprinting processes by hand.
In addition to the speed factor, it has been designed to allow to easily set up specific fingerprinting analyses in a few lines of code. Not only is the creation of a fingerprinting cluster easy to set up, but it can be tweaked by adding fine-tuned scans to your fingerprinting campaigns.
It is the fastest tool to perform large scale fingerprinting campaigns.
Also ReadBlobRunner – Quickly Debug Shellcode Extracted During Malware Analysis
To install from source, first install Erlang (at least v.18) by choosing the right packaging for your platform: Erlang downloads
Install the required packages:
# on debian
$ sudo apt install erlang erlang-src rebar
# on arch
$ sudo pacman -S erlang-nox rebar Then build scannerl:
$ git clone https://github.com/kudelskisecurity/scannerl.git
$ cd scannerl
$ ./build.sh Get the usage by running
$ ./scannerl -h Scannerl is available on aur for arch linux users
$ ./scannerl -h
____ ____ _ _ _ _ _ _____ ____ _
/ ___| / ___| / \ | \ | | \ | | ____| _ \| |
\___ \| | / _ \ | \| | \| | _| | |_) | |
___) | |___ / ___ \| |\ | |\ | |___| _ <| |___
|____/ \____/_/ \_\_| \_|_| \_|_____|_| \_\_____|
USAGE
scannerl MODULE TARGETS [NODES] [OPTIONS]
MODULE:
-m <mod> --module <mod>
mod: the fingerprinting module to use.
arguments are separated with a colon.
TARGETS:
-f <target> --target <target>
target: a list of target separated by a comma.
-F <path> --target-file <path>
path: the path of the file containing one target per line.
-d <domain> --domain <domain>
domain: a list of domains separated by a comma.
-D <path> --domain-file <path>
path: the path of the file containing one domain per line.
NODES:
-s <node> --slave <node>
node: a list of node (hostnames not IPs) separated by a comma.
-S <path> --slave-file <path>
path: the path of the file containing one node per line.
a node can also be supplied with a multiplier (<node>*<nb>).
OPTIONS:
-o <mod> --output <mod> comma separated list of output module(s) to use.
-p <port> --port <port> the port to fingerprint.
-t <sec> --timeout <sec> the fingerprinting process timeout.
-T <sec> --stimeout <sec> slave connection timeout (default: 10).
-j <nb> --max-pkt <nb> max pkt to receive (int or "infinity").
-r <nb> --retry <nb> retry counter (default: 0).
-c <cidr> --prefix <cidr> sub-divide range with prefix > cidr (default: 24).
-M <port> --message <port> port to listen for message (default: 57005).
-P <nb> --process <nb> max simultaneous process per node (default: 28232).
-Q <nb> --queue <nb> max nb unprocessed results in queue (default: infinity).
-C <path> --config <path> read arguments from file, one per line.
-O <mode> --outmode <mode> 0: on Master, 1: on slave, >1: on broker (default: 0).
-v <val> --verbose <val> be verbose (0 <= int <= 255).
-K <opt> --socket <opt> comma separated socket option (key[:value]).
-l --list-modules list available fp/out modules.
-V --list-debug list available debug options.
-A --print-args Output the args record.
-X --priv-ports use only source port between 1 and 1024.
-N --nosafe keep going even if some slaves fail to start.
-w --www DNS will try for www.<domain>.
-b --progress show progress.
-x --dryrun dry run.
It can be used on the local host without any other host. However, it will still create a slave node on the same host it is run from. Therefore, the requirements described in setup must also be met.
A quick way to do this is to make sure your host is able to resolve itself with
grep -q "127.0.1.1\s*`hostname`" /etc/hosts || echo "127.0.1.1 `hostname`" | sudo tee -a /etc/hosts and create an SSH key (if not yet present) and add it to the authorized_keys (you need an SSH server running):
cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys The following example runs an HTTP banner grabing on google.com from localhost
./scannerl -m httpbg -d google.com In order to perform a distributed scan, one need to pre-setup the hosts that will be used by scannerl to distribute the work. See setup for more information.
Scannerl expects a list of slaves to use (provided by the -s or -S switches).
./scannerl -m httpbg -d google.com -s host1,host2,host3 Scannerl will list the available modules (output modules as well as fingerprinting modules) with the -l switch:
$ ./scannerl -l
Fingerprinting modules available
================================
bacnet UDP/47808: Bacnet identification
chargen UDP/19: Chargen amplification factor identification
fox TCP/1911: FOX identification
httpbg TCP/80: HTTP Server header identification
- Arg1: [true|false] follow redirection [Default:false]
httpsbg SSL/443: HTTPS Server header identification
https_certif SSL/443: HTTPS certificate graber
imap_certif TCP/143: IMAP STARTTLS certificate graber
modbus TCP/502: Modbus identification
mqtt TCP/1883: MQTT identification
mqtts TCP/8883: MQTT over SSL identification
mysql_greeting TCP/3306: Mysql version identification
pop3_certif TCP/110: POP3 STARTTLS certificate graber
smtp_certif TCP/25: SMTP STARTTLS certificate graber
ssh_host_key TCP/22: SSH host key graber
Output modules available
========================
csv output to csv
- Arg1: [true|false] save everything [Default:true]
csvfile output to csv file
- Arg1: [true|false] save everything [Default:false]
- Arg2: File path
file output to file
- Arg1: File path
file_ip output to stdout (only ip)
- Arg1: File path
file_mini output to file (only ip and result)
- Arg1: File path
file_resultonly output to file (only result)
- Arg1: File path
stdout output to stdout
stdout_ip output to stdout (only IP)
stdout_mini output to stdout (only ip and result) Arguments can be provided to modules with a colon. For example for the file output module:
./scannerl -m httpbg -d google.com -o file:/tmp/result The result returned by scannerl to the output modules has the following form:
{module, target, port, result}
Where
module: the module used (Erlang atom)target: IP or hostname (string or IPv4 address)port: the port (integer)result: see belowThe result part is of the form:
{{status, type},Value}
Where {status, type} is one of the following tuples:
{ok, result}: fingerprinting the target succeeded{error, up}: fingerprinting didn’t succeed but the target responded{error, unknown}: fingerprinting failedValue is the returned value – it is either an atom or a list of element
Scannerl has been designed and implemented with modularity in mind. It is easy to add new modules to it:
To create new modules, simply follow the behavior (fp_module.erl for fingerprinting modules and out_behavior.erl for output module) and implement your modules.
New modules can either be added at compile time or dynamically as an external file.
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…