{"id":13540083,"url":"https://github.com/kudelskisecurity/scannerl","last_synced_at":"2025-07-28T13:03:51.052Z","repository":{"id":44411471,"uuid":"93478832","full_name":"kudelskisecurity/scannerl","owner":"kudelskisecurity","description":"The modular distributed fingerprinting engine","archived":false,"fork":false,"pushed_at":"2018-08-06T12:17:41.000Z","size":135,"stargazers_count":223,"open_issues_count":1,"forks_count":43,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-05-24T08:36:32.081Z","etag":null,"topics":["distributed","erlang","fingerprinting","network","scanner","security"],"latest_commit_sha":null,"homepage":null,"language":"Erlang","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kudelskisecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-06-06T05:16:33.000Z","updated_at":"2025-05-04T00:27:35.000Z","dependencies_parsed_at":"2022-07-12T18:21:01.785Z","dependency_job_id":null,"html_url":"https://github.com/kudelskisecurity/scannerl","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/kudelskisecurity/scannerl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2Fscannerl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2Fscannerl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2Fscannerl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2Fscannerl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kudelskisecurity","download_url":"https://codeload.github.com/kudelskisecurity/scannerl/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kudelskisecurity%2Fscannerl/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267520401,"owners_count":24100829,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-28T02:00:09.689Z","response_time":68,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["distributed","erlang","fingerprinting","network","scanner","security"],"created_at":"2024-08-01T09:01:39.674Z","updated_at":"2025-07-28T13:03:50.913Z","avatar_url":"https://github.com/kudelskisecurity.png","language":"Erlang","funding_links":[],"categories":["\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","Erlang","Erlang (1)"],"sub_categories":["\u003ca id=\"016bb6bd00f1e0f8451f779fe09766db\"\u003e\u003c/a\u003e指纹\u0026\u0026Fingerprinting"],"readme":"# Scannerl\n\n[![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](http://www.gnu.org/licenses/gpl-3.0)\n[![AUR](https://img.shields.io/aur/version/scannerl.svg)](https://aur.archlinux.org/packages/scannerl)\n\n[Scannerl](https://github.com/kudelskisecurity/scannerl) is a modular distributed fingerprinting engine\nimplemented by [Kudelski Security](https://www.kudelskisecurity.com/).\nScannerl can fingerprint thousands of targets on a single host, but can just as easily be distributed\nacross multiple hosts. Scannerl is to fingerprinting what zmap is to port scanning.\n\nScannerl works on Debian/Ubuntu/Arch (but will probably work on\nother distributions as well). It uses a master/slave architecture where\nthe master node will distribute the work (host(s) to fingerprint) to\nits slaves (local or remote). The entire deployment is transparent to\nthe user.\n\n# Why use Scannerl\n\nWhen using conventional fingerprinting tools for large-scale analysis,\nsecurity researchers will often hit two limitations: first, these tools are typically built\nfor scanning comparatively few hosts at a time and are inappropriate for large\nranges of IP addresses. Second, if large range of IP addresses\nprotected by IPS devices are being fingerprinted, the probability of being\nblacklisted is higher what could lead to an incomplete set of information.\nScannerl is designed to circumvent these limitations, not only by providing the\nability to fingerprint multiple hosts simultaneously, but also by distributing\nthe load across an arbitrary number of hosts.\nScannerl also makes the distribution of these tasks completely transparent,\nwhich makes setup and maintenance of large-scale fingerprinting projects\ntrivial; this allows to focus on the analyses rather than the herculean\ntask of managing and distributing fingerprinting processes by hand.\nIn addition to the speed factor, scannerl has been designed to allow to\neasily set up specific fingerprinting analyses in a few lines of code.\nNot only is the creation of a fingerprinting cluster easy to set up, but it can be tweaked\nby adding fine-tuned scans to your fingerprinting campaigns.\n\nIt is the fastest tool to perform large scale fingerprinting campaigns.\n\nFor more:\n\n* [Fingerprint all the things with scannerl at BlackAlps](https://youtu.be/xHF2T5E7OFQ)\n* [Fingerprinting MySQL with scannerl](https://research.kudelskisecurity.com/2017/12/11/fingerprinting-mysql-with-scannerl/)\n* [Fingerprint ICS/Scada with scannerl](https://research.kudelskisecurity.com/2017/12/13/scannerl-ics-modules-open-source/)\n* [Distributed fingerprinting with scannerl](https://research.kudelskisecurity.com/2017/06/06/distributed-fingerprinting-with-scannerl/)\n* [6 months of ICS scanning](https://research.kudelskisecurity.com/2017/10/24/6-months-of-ics-scanning/)\n\n---\n\n**Table of Contents**\n\n* [Installation](#installation)\n* [Usage](#usage)\n\n  * [Standalone](#standalone-usage)\n  * [Distributed](#distributed-usage)\n  * [Available modules](#list-available-modules)\n  * [Module arguments](#modules-arguments)\n  * [Result format](#result-format)\n\n* [Extending Scannerl](#extending-scannerl)\n* [Contributing](#contributing)\n* [License and Copyright](#license-and-copyright)\n\nSee the [wiki](https://github.com/kudelskisecurity/scannerl/wiki) for more.\n\n# Installation\n\nSee the different installation options under [wiki installation page](https://github.com/kudelskisecurity/scannerl/wiki/Installation)\n\nTo install from source, first install Erlang (at least v.18) by choosing the right packaging for your\nplatform: [Erlang downloads](https://www.erlang-solutions.com/resources/download.html)\n\nInstall the required packages:\n```bash\n# on debian\n$ sudo apt install erlang erlang-src rebar\n\n# on arch\n$ sudo pacman -S erlang-nox rebar\n```\n\nThen build scannerl:\n\n```bash\n$ git clone https://github.com/kudelskisecurity/scannerl.git\n$ cd scannerl\n$ ./build.sh\n```\n\nGet the usage by running\n```bash\n$ ./scannerl -h\n```\n\nScannerl is available on aur for arch linux users\n* [scannerl](https://aur.archlinux.org/packages/scannerl/)\n* [scannerl-git](https://aur.archlinux.org/packages/scannerl-git/)\n\nDEBs (Ubuntu, Debian) are available in the [releases](https://github.com/kudelskisecurity/scannerl/releases).\n\nRPMs (Opensuse, Centos, Redhat) are available under https://build.opensuse.org/package/show/home:chapeaurouge/scannerl.\n\n## Distributed setup\n\nTwo types of nodes are needed to perform a distributed scan:\n\n* **Master node**: this is where scannerl's binary is run\n* **Slave node(s)**: this is where scannerl will connect to\n  distribute all its work\n\nThe  master node needs to have scannerl installed and compiled while the\nslave node(s) only needs Erlang to be installed. The entire setup is\ntransparent and done automatically by the master node.\n\nRequirements for a distributed scan:\n\n* All hosts have the same version of Erlang installed\n* All hosts are able to connect to each other using SSH public key\n* All hosts' names resolve (use */etc/hosts* if no proper DNS is setup)\n* All hosts have the same [Erlang security cookie](http://erlang.org/doc/reference_manual/distributed.html)\n* All hosts must allow connection to Erlang EPMD port (TCP/4369)\n* All hosts have the following range of ports opened: TCP/11100 to TCP/11100 + *number-of-slaves*\n\n# Usage\n\n```\n$ ./scannerl -h\n   ____   ____    _    _   _ _   _ _____ ____  _\n  / ___| / ___|  / \\  | \\ | | \\ | | ____|  _ \\| |\n  \\___ \\| |     / _ \\ |  \\| |  \\| |  _| | |_) | |\n   ___) | |___ / ___ \\| |\\  | |\\  | |___|  _ \u003c| |___\n  |____/ \\____/_/   \\_\\_| \\_|_| \\_|_____|_| \\_\\_____|\n\nUSAGE\n  scannerl MODULE TARGETS [NODES] [OPTIONS]\n\n  MODULE:\n    -m \u003cmod\u003e --module \u003cmod\u003e\n      mod: the fingerprinting module to use.\n           arguments are separated with a colon.\n\n  TARGETS:\n    -f \u003ctarget\u003e --target \u003ctarget\u003e\n      target: a list of target separated by a comma.\n    -F \u003cpath\u003e --target-file \u003cpath\u003e\n      path: the path of the file containing one target per line.\n    -d \u003cdomain\u003e --domain \u003cdomain\u003e\n      domain: a list of domains separated by a comma.\n    -D \u003cpath\u003e --domain-file \u003cpath\u003e\n      path: the path of the file containing one domain per line.\n\n  NODES:\n    -s \u003cnode\u003e --slave \u003cnode\u003e\n      node: a list of node (hostnames not IPs) separated by a comma.\n    -S \u003cpath\u003e --slave-file \u003cpath\u003e\n      path: the path of the file containing one node per line.\n            a node can also be supplied with a multiplier (\u003cnode\u003e*\u003cnb\u003e).\n\n  OPTIONS:\n    -o \u003cmod\u003e --output \u003cmod\u003e     comma separated list of output module(s) to use.\n    -p \u003cport\u003e --port \u003cport\u003e     the port to fingerprint.\n    -t \u003csec\u003e --timeout \u003csec\u003e    the fingerprinting process timeout.\n    -T \u003csec\u003e --stimeout \u003csec\u003e   slave connection timeout (default: 10).\n    -j \u003cnb\u003e --max-pkt \u003cnb\u003e      max pkt to receive (int or \"infinity\").\n    -r \u003cnb\u003e --retry \u003cnb\u003e        retry counter (default: 0).\n    -c \u003ccidr\u003e --prefix \u003ccidr\u003e   sub-divide range with prefix \u003e cidr (default: 24).\n    -M \u003cport\u003e --message \u003cport\u003e  port to listen for message (default: 57005).\n    -P \u003cnb\u003e --process \u003cnb\u003e      max simultaneous process per node (default: 28232).\n    -Q \u003cnb\u003e --queue \u003cnb\u003e        max nb unprocessed results in queue (default: infinity).\n    -C \u003cpath\u003e --config \u003cpath\u003e   read arguments from file, one per line.\n    -O \u003cmode\u003e --outmode \u003cmode\u003e  0: on Master, 1: on slave, \u003e1: on broker (default: 0).\n    -v \u003cval\u003e --verbose \u003cval\u003e    be verbose (0 \u003c= int \u003c= 255).\n    -K \u003copt\u003e --socket \u003copt\u003e     comma separated socket option (key[:value]).\n    -l --list-modules           list available fp/out modules.\n    -V --list-debug             list available debug options.\n    -A --print-args             Output the args record.\n    -X --priv-ports             use only source port between 1 and 1024.\n    -N --nosafe                 keep going even if some slaves fail to start.\n    -w --www                    DNS will try for www.\u003cdomain\u003e.\n    -b --progress               show progress.\n    -x --dryrun                 dry run.\n```\n\nSee the [wiki](https://github.com/kudelskisecurity/scannerl/wiki) for more.\n\n## Standalone usage\n\nScannerl can be used on the local host without any other host.\nHowever, it will still create a slave node on the same host it is run from.\nTherefore, the requirements described in [Distributed setup](#distributed-setup)\nmust also be met.\n\nA quick way to do this is to make sure your host is able to resolve itself with\n```bash\ngrep -q \"127.0.1.1\\s*`hostname`\" /etc/hosts || echo \"127.0.1.1 `hostname`\" | sudo tee -a /etc/hosts\n```\n\nand create an SSH key (if not yet present) and add it to the `authorized_keys` (you need\nan SSH server running):\n```bash\ncat $HOME/.ssh/id_rsa.pub \u003e\u003e $HOME/.ssh/authorized_keys\n```\n\nThe following example runs an HTTP banner grabing on *google.com* from localhost\n```bash\n./scannerl -m httpbg -d google.com\n```\n\n## Distributed usage\n\nIn order to perform a distributed scan, one need to pre-setup the hosts\nthat will be used by scannerl to distribute the work.\nSee [Distributed setup](#distributed-setup) for more information.\n\nScannerl expects a list of slaves to use (provided by the **-s** or\n**-S** switches).\n\n```bash\n./scannerl -m httpbg -d google.com -s host1,host2,host3\n```\n\n## List available modules\n\nScannerl will list the available modules (output modules as well as\nfingerprinting modules) with the **-l** switch:\n\n```bash\n$ ./scannerl -l\n\nFingerprinting modules available\n================================\n\nbacnet             UDP/47808: Bacnet identification\nchargen            UDP/19: Chargen amplification factor identification\nfox                TCP/1911: FOX identification\nhttpbg             TCP/80: HTTP Server header identification\n                     - Arg1: [true|false] follow redirection [Default:false]\nhttpsbg            SSL/443: HTTPS Server header identification\nhttps_certif       SSL/443: HTTPS certificate graber\nimap_certif        TCP/143: IMAP STARTTLS certificate graber\nmodbus             TCP/502: Modbus identification\nmqtt               TCP/1883: MQTT identification\nmqtts              TCP/8883: MQTT over SSL identification\nmysql_greeting     TCP/3306: Mysql version identification\npop3_certif        TCP/110: POP3 STARTTLS certificate graber\nsmtp_certif        TCP/25: SMTP STARTTLS certificate graber\nssh_host_key       TCP/22: SSH host key graber\n\nOutput modules available\n========================\n\ncsv                output to csv\n                     - Arg1: [true|false] save everything [Default:true]\ncsvfile            output to csv file\n                     - Arg1: [true|false] save everything [Default:false]\n                     - Arg2: File path\nfile               output to file\n                     - Arg1: File path\nfile_ip            output to stdout (only ip)\n                     - Arg1: File path\nfile_mini          output to file (only ip and result)\n                     - Arg1: File path\nfile_resultonly    output to file (only result)\n                     - Arg1: File path\nstdout             output to stdout\nstdout_ip          output to stdout (only IP)\nstdout_mini        output to stdout (only ip and result)\n```\n\n## Modules arguments\n\nArguments can be provided to modules with a colon. For\nexample for the *file* output module:\n```bash\n./scannerl -m httpbg -d google.com -o file:/tmp/result\n```\n\n## Result format\n\nThe result returned by scannerl to the output modules\nhas the following form:\n\n```\n{module, target, port, result}\n```\n\nWhere\n\n* `module`: the module used (Erlang atom)\n* `target`: IP or hostname (string or IPv4 address)\n* `port`: the port (integer)\n* `result`: see below\n\nThe `result` part is of the form:\n\n```\n{{status, type},Value}\n```\n\nWhere `{status, type}` is one of the following tuples:\n\n* `{ok, result}`: fingerprinting the target succeeded\n* `{error, up}`: fingerprinting didn't succeed but the target responded\n* `{error, unknown}`: fingerprinting failed\n\n`Value` is the returned value - it is either an atom or a list of element\n\n# Extending Scannerl\n\nScannerl has been designed and implemented with modularity in mind.\nIt is easy to add new modules to it:\n\n* **Fingerprinting module**: to query a specific protocol or service.\n  As an example, the *fp_httpbg.erl* module allows to retrieve the *server*\n  entry in the HTTP response.\n* **Output module**: to output to a specific database/filesystem or output the\n  result in a specific format.\n  For example, the *out_file.erl* and *out_stdout.erl* modules allow\n  respectively to output to a file or to stdout (default behavior if not specified).\n\nTo create new modules, simply follow the behavior (*fp_module.erl* for fingerprinting\nmodules and *out_behavior.erl* for output module) and implement your modules.\n\nNew modules can either be added at compile time or dynamically as an external file.\n\nSee the [wiki page](https://github.com/kudelskisecurity/scannerl/wiki/Module-Implementation) for more.\n\n# Contributing\n\nFeel free to open an issue or a PR.\n\n# License and Copyright\n\nCopyright(c) 2017 Nagravision SA.\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License version 3 as published by the Free Software Foundation.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program.  If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkudelskisecurity%2Fscannerl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkudelskisecurity%2Fscannerl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkudelskisecurity%2Fscannerl/lists"}