Simple Multi-Target Reconnaissance (AWS)

Simple Multi-Target Reconnaissance leverages AWS cloud infrastructure to perform efficient, scalable network reconnaissance across multiple targets simultaneously. This approach significantly reduces the time required for large-scale network analysis while maintaining high efficiency and scalability.

AWS architecture diagram showing the flow from Heph4estus through Step Functions, SQS, ECS, and monitoring services

Architecture diagram showing AWS services integration for Simple Multi-Target reconnaissance

Workflow Overview

1. Scan Initiation

  • User runs the producer application, specifying a file with target IP addresses and optional Nmap parameters
  • Producer reads targets.txt containing entries like "uber.com -sV"

2. Producer Processing

  • Parses input file, extracting target addresses and scan options
  • Structures data into ScanTarget JSON objects
  • Aggregates targets into a StepFunctionInput structure

3. Step Functions Execution

  • Producer invokes AWS Step Functions with the list of scan targets
  • Creates a workflow execution using the nmap-scanner state machine
  • Processes targets in parallel with a maximum concurrency of 10

4. Queue Population

  • EnqueueTask state sends a message to SQS for each target
  • Messages contain target address and Nmap options in JSON format
  • SQS stores messages with a 15-minute visibility timeout

5. ECS Task Launch

  • Step Functions triggers an ECS task for each SQS message
  • Tasks run in Fargate containers with the scanner image from ECR
  • Containers are placed in a private subnet with internet access via NAT gateway

6. Consumer Processing

  • Container runs the consumer application which:
  • Polls SQS to retrieve a scan task message
  • Unmarshals JSON to extract target and options
  • Executes Nmap with specified parameters on the target

7. Scan Execution

  • Nmap performs the network scan on the target using specified options
  • Output and errors are captured by the consumer application

8. Result Persistence

  • Consumer creates a ScanResult object with target info, scan output, and timestamp
  • Result is serialized to JSON and uploaded to S3
  • S3 object key follows the pattern: scans/{target}_{timestamp}.json

9. Task Completion

  • After successful S3 upload, consumer deletes the message from SQS
  • Container completes its task and terminates
  • Step Functions marks that branch of the workflow as complete

10. Error Handling

  • CloudWatch captures logs from ECS tasks for troubleshooting
  • Error metrics are collected and can trigger alerts