Hack Tools

flan: A pretty sweet vulnerability scanner

Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network.

Flan Scan is a wrapper over Nmap and the vulners script which turns Nmap into a full-fledged network vulnerability scanner. Flan Scan makes it easy to deploy Nmap locally within a container, push results to the cloud, and deploy the scanner on Kubernetes.


  1. Clone this repository: git clone https://github.com/cloudflare/flan.git
  2. Make sure you have docker setup:
$ docker --version
  1. Add the list of IP addresses or CIDRS you wish to scan to shared/ips.txt.
  2. Build the container:
$ make build
  1. Start scanning!
$ make start

When the scan finishes you will find a Latex report of the summarizing the scan in shared/reports. You can also see the raw XML output from Nmap in shared/xml_files.

Custom Nmap Configuration

By default Flan Scan runs the following Nmap command:

$ nmap -sV -oX /shared/xml_files -oN – -v1 [email protected] –script=vulners/vulners.nse <ip-address>

The -oX flag adds an XML version of the scan results to the /shared/xml_files directory and the -oN – flag outputs “normal” Nmap results to the console. The -v1 flag increases the verbosity to 1 and the -sV flag runs a service detection scan (aside from Nmap’s default port and SYN scans). The –script=vulners/vulners.nse is the script that matches the services detected with relevant CVEs.

Nmap also allows you to run UDP scans and to scan IPv6 addresses. To add these and other flags to Scan Flan’s Nmap command after running make build run the container and pass in you Nmap flags like so:

$ docker run -v $(shell pwd)/shared:/shared flan_scan <Nmap-flags>

Pushing Results to the Cloud

Flan Scan currently supports pushing Latex reports and raw XML Nmap output files to a GCS Bucket or to an AWS S3 Bucket. Flan Scan requires 2 environment variables to push results to the cloud. The first is upload which takes one of two values gcp or aws. The second is bucket and the value is the name of the S3 or GCS Bucket to upload the results to. To set the environment variables, after running make build run the container setting the environment variables like so:

$ docker run --name <container-name> 
             -v $(pwd)/shared:/shared 
             -e upload=<gcp or aws> 
             -e bucket=<bucket-name> 

Below are some examples for adding the necessary AWS or GCP authentication keys as environment variables in container. However, this can also be accomplished with a secret in Kubernetes that exposes the necessary environment variables or with other secrets management tools.


Copyright (c) 2019, Cloudflare
All rights reserved.

The post flan: A pretty sweet vulnerability scanner appeared first on Penetration Testing.

Click to comment

You must be logged in to post a comment Login

Leave a Reply

To Top

Pin It on Pinterest

Share This