NetScan

Netscan is a network scanner made for large-scope pentesting. It lets you scan and do your recon phase on more that 20+ protocols very quickly. All results are store in an elasticsearch database and browsable with the Kibana power. Scan, Filter, Exploit !

Features

• Everything is stored in Elasticsearch. Data is visible via Kibana
• Active Directory
  • Enumeration
  • Active Directory attacks
  • Active Directory modifications
  • Active Directory Certificate Services
  • Bloodhound export
  • Modules
    • ZeroLogon (CVE-2020-1472)
    • NoPAC (CVE-2021-42278 / CVE-2021-42287)
    • Check if ZONE_UPDATE_INSECURE parameter is enabled
    • Check for LDAP signing and channel binding
• Ping scanner
• Port scanner
  • Nmap service detection
  • Nmap scripts executions
• FTP scanner
  • FTP authentication
  • FTP multi-host bruteforce
  • FTP listing
• MySQL scanner
  • MySQL authentication
  • MySQL multi-host bruteforce
  • MySQL database listing
  • MySQL queries
• MsSQL scanner
  • MsSQL authentication
  • MsSQL multi-host bruteforce
  • MsSQL database listing
  • MsSQL queries
  • MsSQL command execution
• MongoDB scanner
  • MongoDB authentication
  • MongoDB multi-host bruteforce
  • MongoDB database listing
• Postgres scanner
  • Postgres authentication
  • Postgres multi-host bruteforce
  • Postgres database listing
  • Postgres command execution
• Redis scanner
  • Redis authentication
  • Redis multi-host bruteforce
  • Redis RCE detection
• RDP scanner
  • RDP authentication (does not mean you have rdp access)
  • Modules
    • Bluekeep (CVE-2019-0708) detection
• VNC scanner
  • VNC authentication
  • VNC multi-host bruteforce
  • VNC rubber-ducky execution
  • VNC screenshot
• Telnet scanner
  • Telnet authentication
  • Telnet multi-host bruteforce
  • Telnet command execution
• SSH scanner
  • SSH authentication
  • SSH multi-host bruteforce
  • SSH command execution
  • Modules
    • LinPEAS
    • DirtyPipe (CVE-2022-0847)
    • Get kernel and packages versions
    • List network interfaces
    • PwnKit vulnerability (CVE-2021-4034)
• WinRM scanner
  • WinRM authentication
  • WinRM multi-host bruteforce
• Rsync scanner
• RTSP scanner
  • Screenshot
• SNMP scanner
  • SNMP authentication
  • SNMP multi-host bruteforce
  • SNMP enumeration
• TLS scanner
• DNS scanner
  • DNS queries
  • Reverse-DNS queries
  • Subdomain bruteforce
  • AXFR transfer
  • Domain Controller detection
• SMB scanner
  • SMB authentication
  • SMB multi-host bruteforce (be careful not to block accounts...)
  • SMB shared folder listing
  • SMB enumeration
  • SMB secrets collection (SAM, LSA secrets)
  • SMB command execution
  • SMB modules
    • EternalBlue detection (MS17-010)
    • SambaCry detection (CVE-2017-7494)
    • DropTheMic detection (CVE-2019-1040)
    • SMBGhost detection (CVE-2020-0796)
    • PetitPotam exploit (CVE-2021-36942)
    • PrintNightmare vulnerability (CVE-2021-1675)
    • PrintSpooler service detection
    • DFSCoerce
• HTTP scanner
  • HTTP service header and page title enumeration
  • HTTP authentication
  • HTTP modules
    • Axis2
    • Tomcat
    • JBoss
    • Heartbleed
    • Jenkins
    • PhpMyAdmin
    • And more !

Screenshots

Display the global help menu

Display a specific module help menu

Run a ping scan to discover devices in the network

Run a port scan to get all opened ports with the nmap options

Display the result in a way-to-cool interface!

1. Installation

1.0 Automagic installation (with docker)

Run the following command and enjoy immediately..

~/netscan$> ./configure_docker.sh

The previous command will build and/or start all the framework docker containers used by netscan. It will create and configure :

• an elasticsearch container
• a kibana container
• a neo4j container

When everything is up and running, you can use the netscan command and enjoy.

1.1 Manual installation (without Docker)

1. Install dependencies

$> pip3 install -r requirements.txt

2. Create the configuration file

$> cp config.cfg.sample config.cfg

3. If needed, deploy Elasticsearch and Kibana on your systema.

2. Configuration

Note:
The docker version is already configured with default settings. You're good to go.

On your system or in the docker container,

1. Edit the config.cfg file to set the name of your current pentest session under the [Global] section.

2. Enable elasticsearch if you want to send all your scan outputs to the database under the [Elasticsearch] section.

3. Configure the Kibana dashboards

   Via GUI

   The kibana dashboards are located at kibana/kibana_dashboards.ndjson.

   • Open kibana at http://127.0.0.1:5601/
   • Go to "Management > Stack Management"
   • Go to "Kibana > Saved Objects"
   • Click on "Import"
   • Select the kibana_dashboards.ndjson file provided in this repo
   • Click on "Import"

   Via CLI

   $> curl -X POST 'http://127.0.0.1:5601/api/saved_objects/_import?createNewCopies=true' -H "kbn-xsrf: true" --form "file=@$(pwd)/kibana/kibana_dashboards.ndjson"

The dashboards should now be available within Kibana

3. Troubleshooting

---

Problem: Elasticsearch has not enough memory-mapped areas to run smoothly.
Solution : Run the following command on you system

sudo sysctl -w vm.max_map_count=262144

Doc: https://www.elastic.co/guide/en/elasticsearch/reference/current/_maximum_map_count_check.html

---

Problem: Elastic needs at least 10% free space of your hard disk (whatever the disk size). Solution : You can disable the disk size threshold by running the following commands on you system

$> curl -X PUT -H "Content-Type: application/json" http://localhost:9200/_cluster/settings -d '{ "transient": { "cluster.routing.allocation.disk.threshold_enabled": false } }'

---