The Automated Network Scanning ! team ran into several issues writing our scanner. The first approach we took was incredibly slow and inefficient, as we scanned every host with a separate Nmap scan. This meant that our program had to start up a new Nmap process every time. While this approach worked well on our smaller network of four Raspberry Pis, it ran into issues with large-scale tests on the LCDI network; it took over two hours to scan sixteen hosts. Our team decided to switch to scanning every host simultaneously. As you can see in the diagram, we initialized Nmap very few times, increasing the efficiency of our scan.
During this process, we ran into issues with our OS fingerprinting process and the heartbleed-ssl vulnerability scanning. The OS fingerprinting had extreme issues fingerprinting the Windows IOT Raspberry Pi as the scan would throw errors and not complete. Specifically, the SYN Stealth scans used in OS Fingerprinting would return a packet with a negative travel time. Although we ensured synchronicity of the times on the Pis, we were unable to overcome this issue. Due to this setback, we decided to remove OS fingerprinting from the scope of our network scanner.
Because of the change in structure of our scans, we removed our script’s heartbleed-ssl functionality. Initially, we were able to use a regular expression, or regex to find if the host scanned was vulnerable, as each heartbleed-ssl scan corresponded to a single host. However, once we scanned all of the hosts simultaneously, we had to change our approach to use inbuilt functions in the python-libnmap package we used. These functions were unable to retrieve the data from the script, so we ultimately had to remove this heartbleed-ssl functionality.
Although our team started development with great ideas, we had to scale back to create a more efficient network scanner. Sometimes, you have to take a step backwards before you can take two steps forward!
To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.