I regularly use tools like NMAP and masscan for scanning prospective customer networks to perform simple audits to get an idea of the things they're running as quickly as I can, but I find doing this a bit clunky and not as quick as I'd like. So I built AngryEther. It can scan a /24 in around 20 seconds and banner grabs important stuff. It can also be set to perform an ARP sweep to pick up devices that otherwise don't response to a typical ICMP/TCP sweep. The tool can also spit out a nice JSON file with all the information in that can be used to push the data back to a server somewhere for later use.
sim7c00 · 8h ago
this is pretty nice. if u need to scan tons of places for large ranges (discovery all pvt ranges every timeframe) this can be really nice.
the problem i have with such scanners is accuracy though. but i suppose thats hard to tackle from scanner perspective (hard to see routing tricks etc.). for asset/vuln mgmt its good to have full disco scans to compare other sources and see if they cover everything with targeted scans. personally i wouldnt care much about banners in this case as other tools will do more aggressive fingerprinting.
a push back on scanning full 10./8 or such ranges was for me always time needed / bandwidth (idiots running full feature scan instead of pings... -_-)
with that landscape in mind id say maybe position yourself clearly in the discovery bucket, not finger printing, or make it clear different scan profiles.
if u start about banner grabbing ppl might either expect slowdowns or expect full banners for everything.
maybe its nice to make little scripts. your json into ansible inventory. RackTables maybe and NetBox? or in some format those accept. it will help adoption a lot.
pg3uk · 3h ago
Thanks for the feedback. Appreciate it!
Yeah, I often need a bit more than a ping sweep, but not a full feature scan. I've been around in tech long enough that I can look the output of my tool and know if a box is Windows or Linux or whatever...fingerprinting isn't that important for me.
The situation I'm usually in where I need this tool is I've been called in somewhere, their techie has left or been fired and I don't have a lot of documentation (if any) and I need to find important boxes and work out how to connect to them...an early version of this tool had an OUI lookup built in to do vendor ID, but that slowed it down a bit too much and including an OUI database with the app seemed excessive, implementing a "cloud" lookup wasn't feasible because I often need to do these scans on networks where I don't necessarily have internet access. I have a custom hardware device that I build out of a Radxa 3E with a POE hat that I can just jack into a network switch (if it has POE) and it automatically grabs everything it can for me, then dumps everything to the device (or if an internet connection is present, spits it at me over Pushbullet). With that device, I can go from knowing nothing, to knowing a reasonable amount in under 5 minutes.
It's a device that I would like to make a proper solution out of, but it's so esoteric that I think it would end up being pretty niche...it kind of relies on the engineer using it to think exactly like I do and being able to just "know" stuff...so it's the sort of thing that would generate more git issues and usability complaints than anything else!
Yes, the JSON output is precisely because I like to make scripts to push data into dashboards and the like...I stopped at just spitting out JSON because I have other tools/scripts that do that for me. I prefer to leave things as a JSON file because it's the greatest amount of flexibility, the cost though is that you have to be able to do something with the JSON once you have it.
The accuracy of this tool depends on the timeout you set and the performance of the network you scan. By default it has a 500ms timeout, which is enough for most networks, but increasing it to 1000ms on slower networks yields better accuracy...flicking on ARP adds even more accuracy...obviously both come at the cost of the time required to finish the scan though!
pg3uk · 3h ago
Further to this, ARP is off be default because you need root/sudo to be able to do an ARP sweep...you don't need special permissions to be able to run this app with it's default settings...which was a bugbear of mine with masscan.
the problem i have with such scanners is accuracy though. but i suppose thats hard to tackle from scanner perspective (hard to see routing tricks etc.). for asset/vuln mgmt its good to have full disco scans to compare other sources and see if they cover everything with targeted scans. personally i wouldnt care much about banners in this case as other tools will do more aggressive fingerprinting.
a push back on scanning full 10./8 or such ranges was for me always time needed / bandwidth (idiots running full feature scan instead of pings... -_-)
with that landscape in mind id say maybe position yourself clearly in the discovery bucket, not finger printing, or make it clear different scan profiles. if u start about banner grabbing ppl might either expect slowdowns or expect full banners for everything.
maybe its nice to make little scripts. your json into ansible inventory. RackTables maybe and NetBox? or in some format those accept. it will help adoption a lot.
Yeah, I often need a bit more than a ping sweep, but not a full feature scan. I've been around in tech long enough that I can look the output of my tool and know if a box is Windows or Linux or whatever...fingerprinting isn't that important for me.
The situation I'm usually in where I need this tool is I've been called in somewhere, their techie has left or been fired and I don't have a lot of documentation (if any) and I need to find important boxes and work out how to connect to them...an early version of this tool had an OUI lookup built in to do vendor ID, but that slowed it down a bit too much and including an OUI database with the app seemed excessive, implementing a "cloud" lookup wasn't feasible because I often need to do these scans on networks where I don't necessarily have internet access. I have a custom hardware device that I build out of a Radxa 3E with a POE hat that I can just jack into a network switch (if it has POE) and it automatically grabs everything it can for me, then dumps everything to the device (or if an internet connection is present, spits it at me over Pushbullet). With that device, I can go from knowing nothing, to knowing a reasonable amount in under 5 minutes.
It's a device that I would like to make a proper solution out of, but it's so esoteric that I think it would end up being pretty niche...it kind of relies on the engineer using it to think exactly like I do and being able to just "know" stuff...so it's the sort of thing that would generate more git issues and usability complaints than anything else!
Yes, the JSON output is precisely because I like to make scripts to push data into dashboards and the like...I stopped at just spitting out JSON because I have other tools/scripts that do that for me. I prefer to leave things as a JSON file because it's the greatest amount of flexibility, the cost though is that you have to be able to do something with the JSON once you have it.
The accuracy of this tool depends on the timeout you set and the performance of the network you scan. By default it has a 500ms timeout, which is enough for most networks, but increasing it to 1000ms on slower networks yields better accuracy...flicking on ARP adds even more accuracy...obviously both come at the cost of the time required to finish the scan though!