Hybrid Multi-Target Distributed Reconnaissance (AWS)

This page details the AWS implementation of Hybrid Multi-Target Distributed Reconnaissance, which leverages various AWS services to perform efficient and scalable reconnaissance across multiple targets.

For the GCP implementation, see the Hybrid Multi-Target (GCP) page.

Architecture Overview

High-level Architecture Overview

High-level AWS architecture diagram showing the flow from Heph4estus through various AWS services

Overall architecture showing the integration of AWS services for hybrid multi-target reconnaissance

Phase 1: Initial Port Discovery

Detailed view of ECS tasks during the first pass of port discovery

First pass ECS tasks performing parallel port discovery across multiple targets

Phase 2: Detailed Port Analysis

Detailed view of ECS tasks during the second pass focusing on discovered ports

Second pass ECS tasks performing detailed scans on discovered open ports

Workflow Overview

Phase 1: Port Discovery

1. Initiation

  • Heph4estus triggers the Producer application
  • Producer reads targets from targets.txt and partitions the port ranges for each target
  • Producer invokes Step Functions to orchestrate the scan

2. Discovery Scan Setup

  • Step Functions publishes messages to SQS with target information and port partitions
  • Each message contains instructions for a preliminary scan with -T1 speed setting
  • ECS tasks are launched to process these messages

3. Initial Scanning

  • Multiple ECS containers run in parallel (shown as Tasks 1-6)
  • Each container scans a specific partition of ports for its assigned target
  • Tasks 1-3 scan different port ranges for target1, while Tasks 4-6 scan for target2
  • These are quick scans designed to identify which ports are open

4. Result Storage

  • Scan results are uploaded to S3
  • The results contain information about which ports were found open in each partition

Phase 2: Detailed Analysis

1. Results Processing

  • A Lambda function processes the S3 scan results
  • It extracts the list of open ports found during the discovery phase
  • The open ports are saved to DynamoDB for structured storage and easy retrieval

2. Second Scan Preparation

  • Another Lambda function reads the open ports from DynamoDB
  • It generates new scan configurations focused only on the open ports
  • The configurations are sent back to Step Functions

3. Detailed Scanning

  • Step Functions creates new SQS messages for deeper scans
  • These scans target only the previously discovered open ports with more comprehensive options
  • ECS launches a second wave of containers
  • Each container now performs a more thorough scan on just one target's open ports

4. Monitoring and Error Handling

  • CloudWatch monitors the entire process
  • Comprehensive logging captures any failures for troubleshooting
  • The architecture includes error handling for both scanning phases