scanners_scanning_and_ratings.md 3.13 KB
Newer Older
1
# Available scanners
2 3 4

## Supported scans

Elger Jonker's avatar
Elger Jonker committed
5 6 7 8 9 10 11 12 13
| Scan                | Port(s)     | IPv Support | Protocols | Rate limit | Rotation               |
| :------------------ | :---------- | :---------- | :-------- | :--------- | :---------             |
| DNS                 | A/AAAA      | -           | DNS       | No         | Not yet automated      |
| Endpoint discovery  | Defaults    | 4           | http(s)   | No         | Per 3 days             |
| TLS (qualys)        | 443         | 4, 6        | TLS       | 1/minute   | Per 3 days             |
| Headers             | Any http(s) | 4           | http(s)   | No         | Daily                  |
| Screenshots         | Any http(s) | 4           | http(s)   | 1 thread   | Not yet automated      |
| Plain HTTPS         | Any http(s) | 4           | http(s)   | No         | Daily                  |
| DNSSEC              | -           | -           | DNS       | No         | Daily                  |
14 15


Elger Jonker's avatar
Elger Jonker committed
16 17 18 19 20
### DNS
The DNS scanner tries to find hostnames using various strategies:
- Brute force on a subdomain list (existing subdomains only)
- Looking at NSEC1 hashes
- Looking at Certificate transparency
21

Elger Jonker's avatar
Elger Jonker committed
22 23 24
Less popular, not fully automated, but also implemented:
- brute forcing dictionaries
- looking in search engines
25

Elger Jonker's avatar
Elger Jonker committed
26 27 28 29 30 31 32 33 34 35 36
### Endpoint Discovery
Tries to find HTTP(s) endpoints on standard HTTP(s) ports. A normal website currently has about four endpoints:
- IPv6 port 80, redirect to port 443
- IPv6 port 443, actual website
- IPv4 port 80, redirect to port 443
- IPv4 port 443, actual website

We store them separately as implementation mistakes might occur on any of these endpoints.

### TLS (qualys)
Runs a scan on ssllabs from Qualys and incorporates the result.
37

Elger Jonker's avatar
Elger Jonker committed
38 39
### Headers
Contacts an endpoint and verifies HTTP headers for various security settings. (HSTS etc)
40

Elger Jonker's avatar
Elger Jonker committed
41 42 43
### Screenshots
Uses chrome headless to contact a website and make a screenshot for it. This screenshow it displayed next to the results
in the report.
44

Elger Jonker's avatar
Elger Jonker committed
45 46
### Plain HTTPS
Checks if a website that only has a site on port 80 also has a secure equivalent. No port-80-only sites should exist.
47

Elger Jonker's avatar
Elger Jonker committed
48 49
### DNSSEC
Checks if the toplevel domain implements DNSSEC correctly. Uses the dotSE scanner which is included.
50

Elger Jonker's avatar
Elger Jonker committed
51 52 53 54 55 56 57 58 59 60
## Scheduling
Scanners are scheduled as periodic tasks in Django admin. They are disabled by default and might not all be included in
the source distribution. Creating a scan is actually easy. For example:

- General/Name: discover-endpoints
- General/Enabled: Yes
- General/Task: discover-endpoints
- Schedule/Interval: every 3 days
- Arguments/Arguments: ["failmap.scanners.scanner_http"]
- Execution Options/Queue: storage
61

Elger Jonker's avatar
Elger Jonker committed
62
## Manual scans
63

Elger Jonker's avatar
Elger Jonker committed
64 65
### Command line
The Scan command can help you:
66

Elger Jonker's avatar
Elger Jonker committed
67 68 69
```bash
failmap scan 'scanner name'
```
70

Elger Jonker's avatar
Elger Jonker committed
71
The message returned will tell you what scanners you can run manually. All scanners have the same set of options.
72

Elger Jonker's avatar
Elger Jonker committed
73 74 75 76 77 78
### Admin interface
It's possible to run manual scans, at the bottom of a selection.
Note that this is beta functionality and please don't do this too much as the "priority" scanning queue is not functioning.
You can try out a scan or two, some take a lot of time.

![admin_actions](scanners_scanning_and_ratings/admin_actions.png)