cloudflare / flan Goto Github PK

A pretty sweet vulnerability scanner

License: BSD 3-Clause "New" or "Revised" License

Dockerfile 1.41% Makefile 1.98% Python 77.76% Shell 3.69% HTML 15.15%

flan's Introduction

Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network.

Flan Scan is a wrapper over Nmap and the vulners script which turns Nmap into a full-fledged network vulnerability scanner. Flan Scan makes it easy to deploy Nmap locally within a container, push results to the cloud, and deploy the scanner on Kubernetes.

Getting Started

Clone this repository
Make sure you have docker setup:

$ docker --version

Add the list of IP addresses or CIDRS you wish to scan to shared/ips.txt.
Build the container:

$ make build

Start scanning!

$ make start

By default flan creates Latex reports, to get other formats run:

$ make html

Additional supported formats are md (markdown), html and json.

When the scan finishes you will find the reports summarizing the scan in shared/reports. You can also see the raw XML output from Nmap in shared/xml_files.

Custom Nmap Configuration

By default Flan Scan runs the following Nmap command:

$ nmap -sV -oX /shared/xml_files -oN - -v1 $@ --script=vulners/vulners.nse <ip-address>

The -oX flag adds an XML version of the scan results to the /shared/xml_files directory and the -oN - flag outputs "normal" Nmap results to the console. The -v1 flag increases the verbosity to 1 and the -sV flag runs a service detection scan (aside from Nmap's default port and SYN scans). The --script=vulners/vulners.nse is the script that matches the services detected with relevant CVEs.

Nmap also allows you to run UDP scans and to scan IPv6 addresses. To add these and other flags to Flan Scan's Nmap command after running make build run the container and pass in your Nmap flags like so:

$ docker run -v $(CURDIR)/shared:/shared flan_scan <Nmap-flags>

Pushing Results to the Cloud

Flan Scan currently supports pushing Latex reports and raw XML Nmap output files to a GCS Bucket or to an AWS S3 Bucket. Flan Scan requires 2 environment variables to push results to the cloud. The first is upload which takes one of two values gcp or aws. The second is bucket and the value is the name of the S3 or GCS Bucket to upload the results to. To set the environment variables, after running make build run the container setting the environment variables like so:

$ docker run --name <container-name> \
             -v $(CURDIR)/shared:/shared \
             -e upload=<gcp or aws> \
             -e bucket=<bucket-name> \
             -e format=<optional, one of: md, html or json> \
             flan_scan

Below are some examples for adding the necessary AWS or GCP authentication keys as environment variables in container. However, this can also be accomplished with a secret in Kubernetes that exposes the necessary environment variables or with other secrets management tools.

Example GCS Bucket Configuration

Copy your GCS private key for a service account to the /shared file

$ cp <path-to-local-gcs-key>/key.json shared/

Run the container setting the GOOGLE_APPLICATION_CREDENTIALS environment variable as the path to the GCS Key

$ docker run --name <container-name> \
             -v $(CURDIR)/shared:/shared \
             -e upload=gcp \
             -e bucket=<bucket-name> \
             -e GOOGLE_APPLICATION_CREDENTIALS=/shared/key.json
             -e format=<optional, one of: md, html or json> \
             flan_scan

Example AWS S3 Bucket Configuration

Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables to the corresponding variables for your S3 service account.

docker run --name <container-name> \
           -v $(CURDIR)/shared:/shared \
           -e upload=aws \
           -e bucket=<s3-bucket-name> \
           -e AWS_ACCESS_KEY_ID=<your-aws-access-key-id> \
           -e AWS_SECRET_ACCESS_KEY=<your-aws-secret-access-key> \
           -e format=<optional, one of: md, html or json> \
           flan_scan

Deploying on Kubernetes

When deploying Flan Scan to a container orchestration system, such as Kubernetes, you must ensure that the container has access to a file called ips.txt at the directory /. In Kubernetes, this can be done with a ConfigMap which will mount a file on your local filesystem as a volume that the container can access once deployed. The kustomization.yaml file has an example of how to create a ConfigMap called shared-files. This ConfigMap is then mounted as a volume in the deployment.yaml file.

Here are some easy steps to deploy Flan Scan on Kubernetes:

To create the ConfigMap add a path to a local ips.txt file in kustomization.yaml and then run kubectl apply -k ..
Now run kubectl get configmap to make sure the ConfigMap was created properly.
Set the necessary environment variables and secrets for your cloud provider within deployment.yaml.
Now run kubectl apply -f deployment.yaml to launch a deployment running Flan Scan.

Flan Scan should be running on Kubernetes successfully!

flan's People

Contributors

Stargazers

Watchers

Forkers

mbeacom mroote codeglitch0 rtradeltd jin89 jackusm ctrl78 gdraperi modulexcite dimitris-t akhepcat toygang runonceex jennerb stayen adampielak vlameiras c0dak affordablemobiles subi3wr3x penneke ghane dannymcc sekmet daveschmidt86 hax0rg1rl jeffapitts acumenix markwh245 sry309 techris45 5up3rc mehrdad-shokri arryboom backwardn eagleone42 moosbaue shadowscatcher uchihasr pingf kotopes easyrider script-newbie ro9ueadmin caglaroflazoglu pavonis9 shadyzpop devopseze preventions m00zh33 inspectordidi awesome-archive punittailor55 lubyruffy tarsbase 1454325915 kz9 jingqiangliu junseul root360 pwapou softasap threatpage dirkwilken fabiofarina steffikerst taohexx vadimiljin prahs chrysanthos mlynchcogent ismail774403783 crackercat gavz alaincaron botshub fakegit itsnix salman0 muharihar hwany417 hadesangel sqler21c jingmian nbuzydeb uapoincare flover97 shahedkhanulab leiyuch allchain tolidano ghost068 louieegarcia cqueern lidahan rahmiy kurioapp nfaihi kakuye piyapsri

flan's Issues

Code incompatible with Python 3

In aws_push.py, the code used to process the exception is only valid on Python 2.

In order to work on Python 3, it should use the "as" keyword instead of the comma syntax. More info here.

shared/ips.txt - last IP requires a endline character inorder to be scanned 🇺🇦

Scenario 1: File with endline character
shared/ips.txt

$ hexdump -C shared/ips.txt
00000000  31 2e 31 2e 31 2e 31 0a  38 2e 38 2e 38 2e 38 0a  |1.1.1.1.8.8.8.8.|
00000010

Scenario 2: File without endline character
shared/ips.txt

$ hexdump -C shared/ips.txt
00000000  31 2e 31 2e 31 2e 31 0a  38 2e 38 2e 38 2e 38     |1.1.1.1.8.8.8.8|
0000000f

run

$ make start
docker run --name flan_1574459039 -v /Users/vincentclee/git/flan/shared:/shared flan_scan
# Nmap 7.70 scan initiated Fri Nov 22 21:44:00 2019 as: nmap -sV -oX /shared/xml_files/2019.11.22-21.44/1.1.1.1.xml -oN - -v1 --script=vulners/vulners.nse 1.1.1.1
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.00042s latency).
All 1000 scanned ports on one.one.one.one (1.1.1.1) are filtered

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 22 21:44:12 2019 -- 1 IP address (1 host up) scanned in 11.93 seconds

Produce the report in HTML, not LaTeX.

I spent 30 minutes installing various LaTeX packages and extra fonts on Ubuntu 18.04 to be able to view the LaTeX report the scan generates.

Reports in LaTeX format is a usability bug.

Just generate report in plain HTML.

Feedback and Feature Request - Flan Reporting Data Model and content

Hello, I have been using Flan in combination with OWASP Amass - Amass would run a recon scan on ano organisation's footprint - then filter and output a set of IPs I would input to flan to scan. Once the results are out I would parse the JSON output to add the DNS, ASN associated with the IP address (The ASN would be 0 if it's an internal IP - and DNS left blank if not found).

I like Flan, and would recommend a few improvements if possible

It's hard to filter out the confirmed open ports (scannable for the external perimeter) vs. the ones NMAP "is confident" it's open behind the firewall - keeping them separate in the JSON output would make filtering/prasing them easier
For vulnerabilities In an ideal world I would like to create a table with (atleast) the following set of columns (IP|Hostname|DNS|Pot|UDP/TCP|CVE|CVE-Title-CVSS3 score|CPE|Service Name) ASN I can populate along with anything else.
For scanning open ports again a similar set of fields (IP|Hostname|DNS|Pot|UDP/TCP|Open/Filtered/Closed|CPE|Service Name)

The above make it way easier for me to find what I am looking for with minimal fuss, happy to share some of the scripts used to get data into Flan from Amass then filtering the output. Thanks Again!

Kubernetes CronJob instead of Deployment?

Hello,

If I'm understanding the entrypoint (run.sh) correctly, it just runs the once then exists.

I suppose Kubernetes will continually restart it, but with an exponential backoff?

Would it be better to run it as a scheduled batch job using the CronJob object type?

Regards,
iamacarpet

Only XML files are generated

Only XML file is generated, IP for tex generator is empty:

docker run --name flan_1574405167 -v /srv/git/flan/shared:/shared flan_scan
# Nmap 7.70 scan initiated Fri Nov 22 06:46:08 2019 as: nmap -sV -oX /shared/xml_files/2019.11.22-06.46/x.x.x.18.xml -oN - -v1 --script=vulners/vulners.nse x.x.x.18
Nmap scan report for static.x-x-x-18.clients.your-server.de (x.x.x.18)
Host is up (0.00027s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE    VERSION
22/tcp   open     ssh        OpenSSH 7.4 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.4: 
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|_      CVE-2017-15906  5.0     https://vulners.com/cve/CVE-2017-15906
80/tcp   open     http       nginx 1.16.1
|_http-server-header: nginx/1.16.1
443/tcp  open     ssl/http   nginx 1.16.1
|_http-server-header: nginx/1.16.1
|_http-trane-info: Problem with XML parsing of /evox/about
9001/tcp filtered tor-orport

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 22 06:46:23 2019 -- 1 IP address (1 host up) scanned in 15.41 seconds
# Nmap 7.70 scan initiated Fri Nov 22 06:46:23 2019 as: nmap -sV -oX /shared/xml_files/2019.11.22-06.46/.xml -oN - -v1 --script=vulners/vulners.nse
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
# Nmap done at Fri Nov 22 06:46:23 2019 -- 0 IP addresses (0 hosts up) scanned in 0.35 seconds
WARNING: No targets were specified, so 0 hosts scanned.
Traceback (most recent call last):
  File "/output_report.py", line 225, in <module>
    main()
  File "/output_report.py", line 216, in main
    parse_results(data)
  File "/output_report.py", line 98, in parse_results
    hosts = data['nmaprun']['host']
KeyError: 'host'
sed: /shared/reports/report_2019.11.22-06.46.tex: No such file or directory
sed: /shared/reports/report_2019.11.22-06.46.tex: No such file or directory
sed: /shared/reports/report_2019.11.22-06.46.tex: No such file or directory

LaTeX formatting issues.

First, thank you for creating this tool! I used this tool during a cyber competition earlier today.

Second, using pdflatex (which gave me many Undefined Control Sequence errors), I generated the pdf which has some noticeable formatting issues. Mostly displaying the found CVEs that run off the page sometimes and appear cut off. I have attached screenshots as well as a zip containing the .tex, .pdf, and .xml files. There are two .pdfs and two .tex files as we did modify the auto generated tex file. The pdf we changed has the same issues. It was during a competition, so I was unable to try to fix it. Please let me know if there is any more information that is needed.

flanstuff.zip

Feature request

It would be great to be able to generate the different report formats on previously run scans so you don't have to rescan everything to get a different report format.

Issue with IPs in list not resolving

New to using docker and running the container on a Windows 10 machine,
When I kick of the scanner I get the following outputs.

"xml" -oN - -v1 --script=vulners/vulners.nse "1.1.1.1s: nmap -sV -oX "/shared/xml_files/2020.06.18-07.09/1.1.1.1

".iled to resolve "1.1.1.1

Read data files from: /usr/bin/../share/nmap