Flan Scan: a lightweight network vulnerability scanner by Cloudflare
Cloudflare released a new open source vulnerability scanner that uses Nmap results to generate more complex vulnerability reports.
The tool, called Flan Scan, is a Python script developed in order to fill-the-gap between “industry standard” scanners and Cloudflare's compliance scans needs [1]:
We created Flan Scan after two unsuccessful attempts at using “industry standard” scanners for our compliance scans. A little over a year ago, we were paying a big vendor for their scanner until we realized it was one of our highest security costs and many of its features were not relevant to our setup. It became clear we were not getting our money’s worth. Soon after, we switched to an open source scanner and took on the task of managing its complicated setup. That made it difficult to deploy to our entire fleet of more than 190 data centers.
Like i said, the project is based on Nmap, in order to start from a solid base, a high accurate scanner with a lot of useful plugins:
We chose Nmap as our base scanner because, unlike other network scanners which sacrifice accuracy for speed, it prioritizes detecting services thereby reducing false positives. We also liked Nmap because of the Nmap Scripting Engine (NSE), which allows scripts to be run against the scan results. We found that the “vulners” script, available on NSE, mapped the detected services to relevant CVEs from a database, which is exactly what we needed.
The other pillars at the basis of the project are the reliability of results and the simplicity of deploy:
- Easy Deployment and Configuration - To
create a lightweight scanner with easy configuration, we chose to run
Flan Scan inside a Docker container. As a result, Flan Scan can be built
and pushed to a Docker registry and maintains the flexibility to be
configured at runtime. Flan Scan also includes sample Kubernetes
configuration and deployment files with a few placeholders so you can
get up and scanning quickly. - Pushing results to the Cloud - Flan
Scan adds support for pushing results to a Google Cloud Storage Bucket
or an S3 bucket. All you need to do is set a few environment variables
and Flan Scan will do the rest. This makes it possible to run many scans
across a large network and collect the results in one central location
for processing. - Actionable Reports - Flan Scan
generates actionable reports from Nmap’s output so you can quickly
identify vulnerable services on your network, the applicable CVEs, and
the IP addresses and ports where these services were found. The reports
are useful for engineers following up on the results of the scan as well
as auditors looking for evidence of compliance scans.
The tool is open source and freely available on Cloudflare's Github account [2].
Getting Started
I've tested the workflow on my Debian 10, whithout any problem:
- Clone this repository
- Make sure you have docker setup (using docker --version)
- Add the list of IP addresses or CIDRS you wish to scan to
shared/ips.txt
. - Build the container: make build
- Start scanning: make start
When the scan finishes you will find a Latex report of the summarizing the scan in
shared/reports
.
You can also see the raw XML output from Nmap inshared/xml_files
.