dnmap: framework para escaneos nmap distribuidos

dnmap es un framework creado por Sebastián García (aka eldraco) de MatesLab para distribuir escaneos nmap entre varios clientes.

Está escrito en Python y se compone de un script para el servidor 'dnmap_server.py', un certificado codificado en base 64 'server.pem' para las comunicaciones cifradas cliente-servidor y un script para clientes 'dnmap_client.py'.

El servidor lee un fichero con comandos nmap y los envía a cada cliente por TLS, controlando la lógica y las estadísticas y prácticamente actuando en conjunto como una botnet.

El funcionamiento básico es el siguiente:

- Creamos el fichero de comandos 'commands.txt':

nmap -sS -p22 192.168.1.0/24 -v -n -oA 192.168.1.0

nmap -sS -p22 192.168.2.0/24 -v -n -oA 192.168.3.0

nmap -sS -p22 192.168.3.0/24 -v -n -oA 192.168.4.0

nmap -sP -p22 192.168.3.0/24 -v -n -oA 192.168.4.0

nmap -sS –top-ports 100 192.168.3.3 -v -n -oA 192.168.3.3.top100

nmap -sS –top-ports 100 192.168.3.4 -v -n -oA 192.168.3.4.top100

nmap -sS –top-ports 100 192.168.3.5 -v -n -oA 192.168.3.5.top100

- Iniciamos el servidor dnmap:

vmotos@linux-nsl1:~/Descargas/dnmap_v0.5> sudo ./dnmap_server.py -f commands.txt
root's password:
+----------------------------------------------------------------------+
| dnmap_server Version 0.5 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+----------------------------------------------------------------------+

=| MET:0:00:00.000633 | Amount of Online clients: 0 |=
=| MET:0:00:05.006037 | Amount of Online clients: 0 |=
=| MET:0:00:10.004888 | Amount of Online clients: 0 |=
=| MET:0:00:15.005647 | Amount of Online clients: 0 |=
=| MET:0:00:20.005837 | Amount of Online clients: 0 |=

- Iniciamos el número de clientes dnmap que queramos:

vmotos@bot1:~/Descargas/dnmap_v0.5>gt; ./dnmap_client.py -s localhost -a bot1
+----------------------------------------------------------------------+
| dnmap Client Version 0.5 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+----------------------------------------------------------------------+

Client Started...
Nmap output files stored in 'nmap_output' directory...
Starting connection...
Client connected succesfully...
Waiting for more commands....
Command Received: nmap -sS -p22 192.168.1.0/24 -v -n -oA 192.168.1.0
Sending output to the server...
Waiting for more commands....
Command Received:
+ No -oA given. We add it anyway so not to lose the results. Added -oA 91450921
Sending output to the server...
Waiting for more commands....
Command Received: nmap -sS -p22 192.168.2.0/24 -v -n -oA 192.168.3.0

Como veis, el servidor ha empezado a enviar comandos al primer cliente. Los resultados se almacenarán en ambos lados (cliente y servidor).

+ Client ID connected: xxx.xxx.0.12:60629 (bot1)
=| MET:0:04:25.005779 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias #Commands Last Time Seen (time ago) UpTime Version Euid RunCmdXMin AvrCmdXMin Status
bot1 13 Mar 19 23:57:27 ( 0' 7") 0h 3m 0.5 1000 236.6 897.2 Online
Si por un casual el servidor cayera durante los escaneos los clientes seguirían intentando conectarse hasta que volviera a estar on-line:
Waiting for more commands....
Connection lost. Reason: Connection to the other side was lost in a non-clean fashion.
Trying to reconnect in 10 secs. Please wait...
Starting connection...
Connection failed: Connection was refused by other side: 111: Connection refused.
Trying to reconnect. Please wait...
Starting connection...
Connection failed: Connection was refused by other side: 111: Connection refused.
Trying to reconnect. Please wait...

Y cuando volviera a estar arriba, el servidor no empezaría desde el principio, si no que enviaría al cliente el último comando correspondiente.

Además, es posible ir añadiendo nuevos comandos nmap sin necesidad de reiniciar el servidor por lo que, como podéis comprobar, se trata de una herramienta muy versátil y de fácil manejo.

2 comentarios :