What is LRL-SCAN? LRL-Scan (https://gitlab.com/lostrabbitlabs/lrl-scan) is a free open-source Vulnerability Scanner ...
What is LRL-SCAN?
LRL-Scan (https://gitlab.com/lostrabbitlabs/lrl-scan) is a free open-source Vulnerability Scanner based off of Hacker Target's 'nmap-did-what' project (https://github.com/hackertarget/nmap-did-what). Our team has added improvements to the original schema, UI, and functionality by integrating SSLScan, Nuclei, NIST NVD lookups, and more. Perform full network, services, and vulnerability scanning on your network and discover hidden threats in your environment.
External Network vs. Internal Network scanning:
LRL-Scan is equipped to scan both public IPv4 addresses and the internal RFC1918 address space (along with hostnames and domain names). Running 'LRL-Scan' on an internal network will result in the collection of MAC Addresses which will be used to perform OUI Vendor lookups. In addition, mDNS hostname discovery is performed to find additional hostnames. Running 'LRL-Scan' on an external network will result in ASN & Geo Lookups that will be used to generate plots on the Grafana dashboard map.
|
1) Download & Install 'LRL-Scan': Install Dependencies: |
 https://gitlab.com/lostrabbitlabs/lrl-scan |
2) Sign up for IPinfo & NIST NVD Lookup API Keys:
|
|
 https://ipinfo.io/signup |
https://nvd.nist.gov/developers/request-an-api-keyConfigure your API keys in the 'scan-scripts/LRL-Nmap2SQLite.py' file:
NIST_NVD_KEY = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
IPINFO_TOKEN = "xxxxxxxxxxxxxx"
3) Configuring the 'scan-targets.txt' file:
Before running lrl-scan.sh, modify the scan-targets.txt file with your desired targets (one target per line; CIDR Network, IPv4 Address, Hostname, Domain Name).
Example 'scan-targets.txt' file:
Auto-generating a 'scan-targets.txt' file:
We have provided the 'network-discovery.sh' script to auto-generate a 'scan-targets.txt' for your desired network.
sudo sh network-discovery.sh <CIDR Range> <IP to exclude>
If your Internal Network is 10.0.0.0/24 then run:
sudo sh network-discovery.sh 10.0.0.0/24
If you don't want to include the IP Address of the scanner itself you can exclude it using the command below (where 10.0.0.10 is the system running the LRL-Scan):
sudo sh network-discovery.sh 10.0.0.0/24 10.0.0.10
4) Running LRL-Scan:
Once you have a populated 'scan-targets.txt' you can run the scan with the command below:
sh lrl-scan.sh
*It may take several hours for all tasks to complete so prepare to be patient! Upon scan completion the 'ALL-RESULTS' folder will contain all scan outputs and the 'nmap-did-what/data/nmap_results.db' file will store the scan results for the dashboard.
Nmap/NSE TCP (Full 65K) port scan:
LRL-Scan will first perform a full TCP port scan along with running NSE scripts for service discovery. Results will be displayed on the terminal as each scan completes.
mDNS & HTTP service discovery:
Next, a quick reverse lookup for mDNS hostnames is performed along with verification of all HTTP/HTTPS services.
SSL Scan:
SSL Scan is run to inventory all available SSL/TLS encryption and ciphers and identify weak cryptography in use.
Nuclei scan:
Nuclei scan is used to identify any vulnerabilities and associated CVE, CPE, CWE, etc.
Nmap UDP (Top 1000) port scan:
Lastly, LRL-Scan will perform a Top-1000 UDP port scan on all targets and write all results to the SQLite DB (nmap_results.db).
5) Using the Grafana Dashboard & UI:
To bring up the Grafana dashboard on your local system's TCP port 3000, run the command below:
cd nmap-did-what/grafana-docker && sudo docker compose up -d
NOTE: On older Docker version you may need to run the command below:
cd nmap-did-what/grafana-docker && sudo docker-compose up -d
After bringing up the dashboard with docker compose or docker-compose you can access it within the browser at http://localhost:3000/.
The default credentials for Grafana are admin / admin. For the first time starting the dashboard, you will be prompted to change your password.
Export all services results as CSV file:
Find the 'Open Services' table in Grafana and click the three (3) dots on the far right. From the new popup menu select the 'Inspect' option.
From this 'Inspect' view you can click the 'Download CSV' button and download a csv file of all discovered services.
Example CSV export output as viewed with common spreadsheet viewer.
6) Using DB Browser for SQLite:
You can also view & modify the 'nmap_results.db' file directly using DB Browser for SQLite (https://sqlitebrowser.org/). This tool makes it easier to modify the schema and make customizations to your instance of 'LRL-Scan', along with exporting any of the stored scan data.
7) Continuous Scanning & Clean Up:
'LRL-Scan' can be ran multiple times and all results will be stored (appended) into the existing database. If you want to start over and clean up all scan results simply run the 'scan-scripts/cleanup.sh' script. This script will remove the 'ALL-RESULTS' folder and the 'nmap-did-what/data/nmap_results.db' file.