Cloudflare released a new open source vulnerability scanner that uses Nmap results to generate more complex vulnerability reports.



The tool, called Flan Scan, is a Python script developed in order to fill-the-gap between “industry standard” scanners and Cloudflare's compliance scans needs [1]:

We created Flan Scan after two unsuccessful attempts at using “industry standard” scanners for our compliance scans. A little over a year ago, we were paying a big vendor for their scanner until we realized it was one of our highest security costs and many of its features were not relevant to our setup. It became clear we were not getting our money’s worth. Soon after, we switched to an open source scanner and took on the task of managing its complicated setup. That made it difficult to deploy to our entire fleet of more than 190 data centers.

Like i said, the project is based on Nmap, in order to start from a solid base, a high accurate scanner with a lot of useful plugins:

We chose Nmap as our base scanner because, unlike other network scanners which sacrifice accuracy for speed, it prioritizes detecting services thereby reducing false positives. We also liked Nmap because of the Nmap Scripting Engine (NSE), which allows scripts to be run against the scan results. We found that the “vulners” script, available on NSE, mapped the detected services to relevant CVEs from a database, which is exactly what we needed.

The other pillars at the basis of the project are the reliability of results and the simplicity of deploy:

  • Easy Deployment and Configuration - To
    create a lightweight scanner with easy configuration, we chose to run
    Flan Scan inside a Docker container. As a result, Flan Scan can be built
    and pushed to a Docker registry and maintains the flexibility to be
    configured at runtime. Flan Scan also includes sample Kubernetes
    configuration and deployment files with a few placeholders so you can
    get up and scanning quickly.
  • Pushing results to the Cloud - Flan
    Scan adds support for pushing results to a Google Cloud Storage Bucket
    or an S3 bucket. All you need to do is set a few environment variables
    and Flan Scan will do the rest. This makes it possible to run many scans
    across a large network and collect the results in one central location
    for processing.
  • Actionable Reports - Flan Scan
    generates actionable reports from Nmap’s output so you can quickly
    identify vulnerable services on your network, the applicable CVEs, and
    the IP addresses and ports where these services were found. The reports
    are useful for engineers following up on the results of the scan as well
    as auditors looking for evidence of compliance scans.

The tool is open source and freely available on Cloudflare's Github account [2].


Getting Started

I've tested the workflow on my Debian 10, whithout any problem:

  1. Clone this repository
  2. Make sure you have docker setup (using docker --version)
  3. Add the list of IP addresses or CIDRS you wish to scan to shared/ips.txt.
  4. Build the container: make build
  5. Start scanning: make start

When the scan finishes you will find a Latex report of the summarizing the scan in shared/reports.
You can also see the raw XML output from Nmap in shared/xml_files.


References

  1. Introducing Flan Scan: Cloudflare’s Lightweight Network Vulnerability Scanner
  2. https://github.com/cloudflare/flan