What is Flan Scan?
Flan Scan is a lightweight vulnerability scanner created by Cloudflare. It’s based on the famous Nmap, one of the best port scanners of all time (which, if you’re following this blog, you’ll notice we love and evangelize every time we can).
Flan Scan uses Nmap scripts to boost its detection capabilities. In particular, it uses the vulners script to detect CVEs from all services found on the host (as covered previously in our Nmap Vulnerability Scanner article).
Main differences between the classic Nmap and Flan-Scan:
Different deployment and configuration: While Nmap can be installed by compiling the source code, or using a pre-compiled binary package, the only way to install Flan Scan is by using a Docker container or in Kubernetes.
Pushes results into the cloud: This feature allows you to push the results into a centralized cloud location such as Amazon S3 or GCS buckets.
Actionable Reports: By using Python, Flan Scan converts the default Nmap output into actionable LaTeX reports.
Flan Scan was developed after Cloudflare tried using several commercial scanners to audit its internal networks. With an eye on license costs and overall results, they eventually turned to classic Nmap to build their Flan Scan wrapper.
How does Flan Scan work?
As mentioned, Flan Scan works with Nmap as its core scanner. Therefore, the first thing Flan Scan does is perform a network exploration with an Nmap ICMP scan.
Then, it performs a SYN scan against the top 1,000 most popular ports on those addresses marked as live by the previous ICMP scan.
Finally, it performs a service scan to detect which services are listening on the open ports.
We tested this installation on a Debian system and it worked really well.
The first step will be to clone the source code from https://github.com/cloudflare/flan
git clone https://github.com/cloudflare/flan.git
[email@example.com]# git clone https://github.com/cloudflare/flan.git Cloning into 'flan'... remote: Enumerating objects: 171, done. remote: Total 171 (delta 0), reused 0 (delta 0), pack-reused 171 Receiving objects: 100% (171/171), 33.98 KiB | 164.00 KiB/s, done. Resolving deltas: 100% (99/99), done. [firstname.lastname@example.org]#
Check that you have Docker installed and running:
[email@example.com ~]# docker --version Docker version 1.13.1, build 47e2230/1.13.1
Start the service by typing:
[firstname.lastname@example.org flan]# systemctl start docker
Add the IPs you want to scan:
cd flan nano -w shared/ips.txt
By default it contains these lines:
Delete those and replace them with the IPs you wish to scan, then save the changes.
Now, let’s build Flan Scan by typing:
At the end, if the build has finished properly you should get this output:
Removing intermediate container 39365bd6c7c1 Successfully built 54cdaa539811 [email@example.com flan]#
Flan Scan is now installed. Let’s test it!
Testing Flan Scan
Let the fun begin! To start scanning your target hosts, just type:
If Flan Scan starts successfully, you should see something like this:
firstname.lastname@example.org:~/flan# make start docker run --name flan_1574527571 -v /root/flan/shared:/shared flan_scan # Nmap 7.70 scan initiated Sat Nov 23 16:46:12 2019 as: nmap -sV -oX /shared/xml_files/2019.11.23-16.46/126.96.36.199.xml -oN - -v1 --script=vulners/vulners.nse 188.8.131.52
When finished, Flan Scan will show you this:
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Nov 23 16:47:57 2019 — 1 IP address (1 host up) scanned in 74.58 seconds email@example.com:~/flan#
If you see that, it means the scan was completed successfully.
The default scan consists in the following command:
nmap -sV -oX /shared/xml_files -oN - -v1 \$@ --script=vulners/vulners.nse 184.108.40.206
Here are explanations for each one of the parameters:
-sVhelps to perform a service detection scan.
-oXparameter enables you to save the results in XML format inside the /shared/xml_files directory.
-oNparameter helps to print the results into the terminal, and the -v1 parameter boosts the verbosity level.
--script=vulners/vulners.nseis the Nmap script used to detect all CVEs from the host.
220.127.116.11is the target IP address.
If you also want to run UDP scans, or scan IPv6-based addresses, you can do it by adding the Nmap flags manually. Run the container and input the desired parameters like this:
docker run -v \$(shell pwd)/shared:/shared flan_scan <Nmap-flags>
Analyzing the results
Something we like about Flan Scan is its ability to generate the LaTeX summary report, along with the XML format. The LaTeX summary report is located in shared/reports, as well as the XML output in shared/xml_files.
In this case, we analyzed the .tex report, and found it was presented in an elegant way, featuring the most relevant information about the scans performed.
The first part of the scan includes a full description of each test, with the exact Nmap command that was executed. The vulnerability report starts with the most critical ones, as shown below:
These results include critical, medium and low importance CVEs. In these tests we ran several scans against http://scanme.nmap.org/ to see if Flan Scan was able to detect vulnerable applications and services.
Once the CVE report finishes, it will also add the services with no known vulnerabilities. In this case, apart from Nmap ScanMe page host, we also scanned the popular 18.104.22.168 and 22.214.171.124 servers, as you see in the following screenshot:
At the time of Flan Scan’s release, Cloudflare stated in their blog:
“Flan Scan is a thin wrapper around Nmap that converts this popular open source tool into a vulnerability scanner with the added benefit of easy deployment.”
After analyzing this product, we strongly believe that it can be used to discover open ports on your network, explore system services, versions and detect CVEs… in the same way as the original Nmap does.
The truth is there is no need to “convert” Nmap into a vulnerability scanner—it has been a network, port and CVE scanner for a long time.
Unlike Nmap, which works out-of-the-box and comes pre-installed on most modern Linux distros, Flan Scan requires running inside a Docker container to make it work. This may be the result of Cloudflare’s need to meet their compliance requirements, rather than a multi-platform generic solution which ultimately might not be the best way to deploy it for many other IT companies out there.
Pushing results to the cloud seems to be useful for data collection and central processing. However, the coolest thing is the XML and LaTeX reporting feature, which generates a really useful summary of all vulnerabilities found on the remote server.
While it’s great to see new additions and features added to classic Nmap, just as other colleagues in the infosec community found, we expected a little more from Cloudflare’s brilliant engineers. Flan Scan does offer a few cool features, but it’s ultimately not quite as outstanding a product as we thought it would be.
If you need to push results into the cloud, or need a better reporting system, it might fit your needs; otherwise, stick to good, old-fashioned Nmap. And if you’re willing to go big with vulnerability scanning, switch to a truly robust product like Nessus.
If you’re a security researcher looking for the ultimate passive port scanner, check out SurfaceBrowser, our enterprise-grade cybersecurity tool that can help you identify critical exposed data from any company in the world. Book a demo with our sales team today!