Scannerl – The Modular Distributed Fingerprinting Engine

Scannerl - The Modular Distributed Fingerprinting Engine

Scannerl works on Debian/Ubuntu/Arch (however will in all probability work on different distributions as nicely). It makes use of a grasp/slave structure the place the grasp node will distribute the work (host(s) to fingerprint) to its slaves (native or distant). The whole deployment is clear to the consumer.

Why use Scannerl
When utilizing typical fingerprinting instruments for big-scale evaluation, safety researchers will typically hit two limitations: first, these instruments are usually constructed for scanning comparatively few hosts at a time and are inappropriate for big ranges of IP addresses. Second, if giant vary of IP addresses protected by IPS units are being fingerprinted, the likelihood of being blacklisted is larger what may result in an incomplete set of data. Scannerl is designed to avoid these limitations, not solely by offering the power to fingerprint a number of hosts concurrently, but additionally by distributing the load throughout an arbitrary variety of hosts. Scannerl additionally makes the distribution of those duties fully clear, which makes setup and upkeep of enormous-scale fingerprinting initiatives trivial; this permits to give attention to the analyses quite than the herculean process of managing and distributing fingerprinting processes by hand. In addition to the pace issue, scannerl has been designed to permit to simply arrange particular fingerprinting analyses in just a few strains of code. Not solely is the creation of a fingerprinting cluster simple to arrange, however it may be tweaked by including nice-tuned scans to your fingerprinting campaigns.
It is the quickest software to carry out giant scale fingerprinting campaigns.
For extra:

See the totally different set up choices underneath wiki installation page
To set up from supply, first set up Erlang (at the least v.18) by choosing the proper packaging on your platform: Erlang downloads
Install the required packages:

# on debian
$ sudo apt set up erlang erlang-src rebar

# on arch
$ sudo pacman -S erlang-nox rebar

Then construct scannerl:

$ git clone
$ cd scannerl
$ ./

Get the utilization by working
Scannerl is on the market on aur for arch linux customers
DEBs (Ubuntu, Debian) can be found within the releases.
RPMs (Opensuse, Centos, Redhat) can be found underneath

Distributed setup
Two varieties of nodes are wanted to carry out a distributed scan:

  • Master node: that is the place scannerl’s binary is run
  • Slave node(s): that is the place scannerl will connect with distribute all its work

The grasp node must have scannerl put in and compiled whereas the slave node(s) solely wants Erlang to be put in. The whole setup is clear and executed mechanically by the grasp node.
Requirements for a distributed scan:

  • All hosts have the identical model of Erlang put in
  • All hosts are in a position to join to one another utilizing SSH public key
  • All hosts’ names resolve (use /and many others/hosts if no correct DNS is setup)
  • All hosts have the identical Erlang security cookie
  • All hosts should permit connection to Erlang EPMD port (TCP/4369)
  • All hosts have the next vary of ports opened: TCP/11100 to TCP/11100 + quantity-of-slaves


$ ./scannerl -h
   ____   ____    _    _   _ _   _ _____ ____  _
  / ___| / ___|  /   |  | |  | | ____|  _ | |
  ___ | |     / _  |  | |  | |  _| | |_) | |
   ___) | |___ / ___ | |  | |  | |___|  _ <| |___
  |____/ ____/_/   __| _|_| _|_____|_| ______|


    -m <mod> --module <mod>
      mod: the fingerprinting module to make use of.
           arguments are separated with a colon.

    -f <goal> --target <goal>
      goal: an inventory of goal separated by a comma.
    -F <path> --target-file <path>
      path: the trail of the file containing one goal per line.
    -d <area> --domain <area>
      area: an inventory of domains separated by a comma.
    -D <path> --domain-file <path>
      path: the trail of the file containing one area per line.

    -s <node> --slave <node>
      node: an inventory of node (hostnames not IPs) separated by a comma.
    -S <path> --slave-file <path>
      path: the trail of the file containing one node per line.
            a node may also be equipped with a multiplier (<node>*<nb>).

    -o <mod> --output <mod>     comma separated record of output module(s) to make use of.
    -p <port> --port <port>     the port to fingerprint.
    -t <sec> --timeout <sec>    the fingerprinting course of timeout.
    -T <sec> --stimeout <sec>   slave connection timeout (default: 10).
    -j <nb> --max-pkt <nb>      max pkt to obtain (int or "infinity").
    -r <nb> --retry <nb>        retry counter (default: 0).
    -c <cidr> --prefix <cidr>   sub-divide vary with prefix > cidr (default: 24).
    -M <port> --message <port>  port to pay attention for message (default: 57005).
    -P <nb> --process <nb>      max simultaneous course of per node (default: 28232).
    -Q <nb> --queue <nb>        max nb unprocessed leads to queue (default: infinity).
    -C <path> --config <path>   learn arguments from file, one per line.
    -O <mode> --outmode <mode>  0: on Master, 1: on slave, >1: on dealer (default: 0).
    -v <val> --verbose <val>    be verbose (0 <= int <= 255).
    -Ok <decide> --socket <decide>     comma separated socket possibility (key[:value]).
    -l --list-modules           record out there fp/out modules.
    -V --list-debug             record out there debug choices.
    -A --print-args             Output the args report.
    -X --priv-ports             use solely supply port between 1 and 1024.
    -N --nosafe                 maintain going even when some slaves fail to start out.
    -w --www                    DNS will attempt for www.<area>.
    -b --progress               present progress.
    -x --dryrun                 dry run.

See the wiki for extra.

Standalone utilization
Scannerl can be utilized on the native host with out some other host. However, it can nonetheless create a slave node on the identical host it’s run from. Therefore, the necessities described in Distributed setup should even be met.
A fast method to do that is to verify your host is ready to resolve itself with

grep -q "*`hostname`" /and many others/hosts || echo " `hostname`" | sudo tee -a /and many others/hosts

and create an SSH key (if not but current) and add it to the authorized_keys (you want an SSH server working):

cat $HOME/.ssh/ >> $HOME/.ssh/authorized_keys

The following instance runs an HTTP banner grabing on from localhost

./scannerl -m httpbg -d

Distributed utilization
In order to carry out a distributed scan, one must pre-setup the hosts that might be utilized by scannerl to distribute the work. See Distributed setup for extra info.
Scannerl expects an inventory of slaves to make use of (offered by the -s or -S switches).

./scannerl -m httpbg -d -s host1,host2,host3

List out there modules
Scannerl will record the out there modules (output modules in addition to fingerprinting modules) with the -l change:

$ ./scannerl -l

Fingerprinting modules out there

bacnet             UDP/47808: Bacnet identification
chargen            UDP/19: Chargen amplification issue identification
fox                TCP/1911: FOX identification
httpbg             TCP/80: HTTP Server header identification
                     - Arg1: [true|false] comply with redirection [Default:false]
httpsbg            SSL/443: HTTPS Server header identification
https_certif       SSL/443: HTTPS certificates graber
imap_certif        TCP/143: IMAP STARTTLS certificates graber
modbus             TCP/502: Modbus identification
mqtt               TCP/1883: MQTT identification
mqtts              TCP/8883: MQTT over SSL identification
mysql_greeting     TCP/3306: Mysql model identification
pop3_certif        TCP/110: POP3 STARTTLS certificates graber
smtp_certif        TCP/25: SMTP STARTTLS certificates graber
ssh_host_key       TCP/22: SSH host key graber

Output modules out there

csv                output to csv
                     - Arg1: [true|false] save the whole lot [Default:true]
csvfile            output to csv file
                     - Arg1: [true|false] save the whole lot [Default:false]
                     - Arg2: File path
file               output to file
                     - Arg1: File path
file_ip            output to stdout (solely ip)
                     - Arg1: File path
file_mini          output to file (solely ip and end result)
                     - Arg1: File path
file_resultonly    output to file (solely end result)
                     - Arg1: File path
stdout             output to stdout
stdout_ip          output to stdout (solely IP)
stdout_mini        output to stdout (solely ip and end result)

Modules arguments
Arguments could be offered to modules with a colon. For instance for the file output module:

./scannerl -m httpbg -d -o file:/tmp/end result

Result format
The end result returned by scannerl to the output modules has the next type:

{module, goal, port, end result}


  • module: the module used (Erlang atom)
  • goal: IP or hostname (string or IPv4 tackle)
  • port: the port (integer)
  • end result: see beneath

The end result half is of the shape:

{{standing, sort},Value}

Where {standing, sort} is among the following tuples:

  • {okay, end result}: fingerprinting the goal succeeded
  • {error, up}: fingerprinting did not succeed however the goal responded
  • {error, unknown}: fingerprinting failed

Value is the returned worth – it’s both an atom or an inventory of ingredient

Extending Scannerl
Scannerl has been designed and applied with modularity in thoughts. It is simple so as to add new modules to it:

  • Fingerprinting module: to question a selected protocol or service. As an instance, the fp_httpbg.erl module permits to retrieve the server entry within the HTTP response.
  • Output module: to output to a selected database/filesystem or output the end in a selected format. For instance, the out_file.erl and out_stdout.erl modules permit respectively to output to a file or to stdout (default conduct if not specified).

To create new modules, merely comply with the conduct (fp_module.erl for fingerprinting modules and out_behavior.erl for output module) and implement your modules.
New modules can both be added at compile time or dynamically as an exterior file.
See the wiki page for extra.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.