scannerl v0.42 release: The modular distributed fingerprinting engine

Scannerl

Scannerl is a modular distributed fingerprinting engine implemented by Kudelski Security. It can fingerprint thousands of targets on a single host, but can just as easily be distributed across multiple hosts. It is to fingerprint what zmap is to port scanning.

It works on Debian/Ubuntu/Arch (but will probably work on other distributions as well). It uses a master/slave architecture where the master node will distribute the work (host(s) to fingerprint) to its slaves (local or remote). The entire deployment is transparent to the user.

When using conventional fingerprinting tools for large-scale analysis, security researchers will often hit two limitations: first, these tools are typically built for scanning comparatively few hosts at a time and are inappropriate for large ranges of IP addresses. Second, if the large range of IP addresses protected by IPS devices are being fingerprinted, the probability of being blacklisted is higher what could lead to an incomplete set of information. It is designed to circumvent these limitations, not only by providing the ability to fingerprint multiple hosts simultaneously but also by distributing the load across an arbitrary number of hosts. Scannerl also makes the distribution of these tasks completely transparent, which makes setup and maintenance of large-scale fingerprinting projects trivial; this allows to focus on the analyses rather than the herculean task of managing and distributing fingerprinting processes by hand. In addition to the speed factor, scannerl has been designed to allow to easily set up specific fingerprinting analyses in a few lines of code. Not only is the creation of a fingerprinting cluster easy to set up, but it can be tweaked by adding fine-tuned scans to your fingerprinting campaigns.

It is the fastest tool to perform large-scale fingerprinting campaigns.

Changelog v0.42

  • release modules for grabing certificates
    • with starttls (imap, smtp, pop3)
    • for ssh host key
    • for https X509 certificates
  • refactoring

Usage

Scannerl

$ ./scannerl -h
   ____   ____    _    _   _ _   _ _____ ____  _
  / ___| / ___|  / \  | \ | | \ | | ____|  _ \| |
  \___ \| |     / _ \ |  \| |  \| |  _| | |_) | |
   ___) | |___ / ___ \| |\  | |\  | |___|  _ <| |___
  |____/ \____/_/   \_\_| \_|_| \_|_____|_| \_\_____|

USAGE
  scannerl MODULE TARGETS [NODES] [OPTIONS]

  MODULE:
    -m <mod> --module <mod>
      mod: the fingerprinting module to use.
           arguments are separated with a colon.

  TARGETS:
    -f <target> --target <target>
      target: a list of target separated by a comma.
    -F <path> --target-file <path>
      path: the path of the file containing one target per line.
    -d <domain> --domain <domain>
      domain: a list of domains separated by a comma.
    -D <path> --domain-file <path>
      path: the path of the file containing one domain per line.

  NODES:
    -s <node> --slave <node>
      node: a list of node (hostnames not IPs) separated by a comma.
    -S <path> --slave-file <path>
      path: the path of the file containing one node per line.
            a node can also be supplied with a multiplier (<node>*<nb>).

  OPTIONS:
    -o <mod> --output <mod>     comma separated list of output module(s) to use.
    -p <port> --port <port>     the port to fingerprint.
    -t <sec> --timeout <sec>    the fingerprinting process timeout.
    -T <sec> --stimeout <sec>   slave connection timeout (default: 10).
    -j <nb> --max-pkt <nb>      max pkt to receive (int or "infinity").
    -r <nb> --retry <nb>        retry counter (default: 0).
    -c <cidr> --prefix <cidr>   sub-divide range with prefix > cidr (default: 24).
    -M <port> --message <port>  port to listen for message (default: 57005).
    -P <nb> --process <nb>      max simultaneous process per node (default: 28232).
    -Q <nb> --queue <nb>        max nb unprocessed results in queue (default: infinity).
    -C <path> --config <path>   read arguments from file, one per line.
    -O <mode> --outmode <mode>  0: on Master, 1: on slave, >1: on broker (default: 0).
    -v <val> --verbose <val>    be verbose (0 <= int <= 255).
    -K <opt> --socket <opt>     comma separated socket option (key[:value]).
    -l --list-modules           list available fp/out modules.
    -V --list-debug             list available debug options.
    -A --print-args             Output the args record.
    -X --priv-ports             use only source port between 1 and 1024.
    -N --nosafe                 keep going even if some slaves fail to start.
    -w --www                    DNS will try for www.<domain>.
    -b --progress               show progress.
    -x --dryrun                 dry run.

 

 

 

Scannerl will list the available modules (output modules as well as fingerprinting modules) with the -l switch:

$ ./scannerl -l

Fingerprinting modules available
================================

bacnet             UDP/47808: Bacnet identification
chargen            UDP/19: Chargen amplification factor identification
fox                TCP/1911: FOX identification
httpbg             TCP/80: HTTP Server header identification
                     - Arg1: [true|false] follow redirection [Default:false]
httpsbg            SSL/443: HTTPS Server header identification
modbus             TCP/502: Modbus identification
mqtt               TCP/1883: MQTT identification
mqtts              TCP/8883: MQTT over SSL identification
mysql_greeting     TCP/3306: Mysql version identification

Output modules available
========================

csv                output to csv
                     - Arg1: [true|false] save everything [Default:true]
csvfile            output to csv file
                     - Arg1: [true|false] save everything [Default:false]
                     - Arg2: File path
file               output to file
                     - Arg1: File path
file_ip            output to stdout (only ip)
                     - Arg1: File path
file_mini          output to file (only ip and result)
file_resultonly    output to file (only result)
stdout             output to stdout
stdout_ip          output to stdout (only IP)
stdout_mini        output to stdout (only ip and result)

 

Installation

Tutorial

Copyright(c) 2017 Nagravision SA.

Share