Dnmap: A Distributed Nmap Framework!

Dnmap can be treated like some of your dreams come true. How many times have you actually thought that you could run remote and distributed Nmap scans? Well, now your dreams have turned into a reality with Dnmap . Yes there were a few public projects like this one, but none open-source and actively developed.

Dnmap (distributed Nmap) is a framework to distribute nmap scans among several clients. It reads an already created file with nmap commands and send those commands to each client connected to it. The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Dnmap stores the Nmap output on both server and client. The only caveat of this whole set up is lack  security as the framework will inherently trust the client and will execute any Nmap command sent. So, if you want to protect this setup, you might as well have it secured via ACLs, etc. Yet, the Dnmap server is capable of fighting off command injection attacks. Graphically, the Dnmap framework is designed as such:

Dnmap architecture
So you see, Dnmap uses the classical client/server architecture. The server reads the commands from an external file and send them to the clients. The server will start to give nmap commands to the clients and results will be stored on both sides.

Features of the Dnmap Framework:

  • Clients can be run on any computer on Internet . Do not have to be on a local cluster or the likes.
  • Dnmap uses the TLS protocol for encryption.

Dnmap server features:

  • If the server gets down, clients continue trying to connect until the server gets back online .
  • If the server gets down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was.
  • You can add new commands to the original file without having to stop the server. The server will read them automatically.
  • If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
  • It will store every detail of the operations in a log file.
  • It shows real time statistics about the operation of each client, including:
  •   Number of commands executed
  •   Last time seen
  •   Uptime
  •   Version of the client
  •   If the Dnmap client is being run as root or not.
  •   It calculates the amount of commands executed per minute
  •   The historic average of the amount of commands executed per minute
  •   The status of the client (Online, Offline, Executing or Storing)
  • You can choose which port to use. Defaults to 46001
  • Only the Online clients are shown in the running stats.
  • Dnmap client features:

    • If the Dnmap server goes down, it keeps connecting to it until it gets up again.
    • Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
    • It only executes the nmap command. It deletes the command send by the server and changes it by the known and trusted nmap binary on the system.
    • You can select an alias for your user.
    • You can change which port the client connects to.
    • If the command sent by the server does not have a -oA option, the client add it anyway to the command, so it will always have a local copy of the output.

    So you see, there is a bit of redundancy to this whole set up and client-server work in an ‘intelligent’ manner. The client does not need to be run as root , but be aware that most nmap scan types need the client to be run as root. If some of your clients are not root, you can still send them TCP connect type of scans for example. Another thing about this project is that, it only uses SYN packets and tries to avoid countries that forbid SYN scans. Using Dnmap is also very simple.

    1. Create a file containing nmap commands, eg. commands.txt
    2. Start the dnmap_server
      ./dnmap_server -f commands.txt
    3. Start any number of clients
      ./dnmap_client -s -a

    Depending the number of clients you have, you will see a result as below:

    =| MET:5:43:32.837276 | Amount of Online clients: 2 |=
    Clients connected
    Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version Euid    RunCmdXMin      AvrCmdXMin      Status
    test1           765             Mar 11 21:35:02 ( 0'12")         4h 6m          0.3     0              5.2            4.6       Executing
    test2           698             Mar 11 21:34:59 ( 0'14")         5h43m          0.3     0              2.0            3.2       Executing

    Just see to it that the commands you enter are free of any syntactical errors.

    Download DNmap:

    Dnmap v0.5dnmap_v0.5.tgzhttp://sourceforge.net/projects/dnmap/files/

    Searches leading to this post :