Single Target Distributed Reconnaissance (AWS)

Single Target Distributed Reconnaissance leverages AWS cloud infrastructure to perform efficient, scalable network reconnaissance on a single target by distributing the workload across multiple partitions. This approach significantly reduces the time required for comprehensive scans of large port ranges while maintaining high efficiency and scalability.

AWS architecture diagram showing the flow from Heph4estus through Step Functions, SQS, ECS, and partitioned scanning tasks

Architecture diagram showing AWS services integration for Single Target Distributed reconnaissance with port range partitioning

Workflow Overview

1. Scan Initiation

  • User runs the producer application, specifying a single target, optional Nmap parameters, and the number of partitions

2. Port Range Calculation

  • The producer calculates port ranges to scan based on the requested number of partitions
  • For example, a full port scan (1-65535) with 3 partitions would be divided as:
    • Partition 1: ports 1-21845
    • Partition 2: ports 21846-43690
    • Partition 3: ports 43691-65535

3. Producer Processing

  • The producer creates multiple ScanTarget JSON objects, one for each partition
  • Each object contains the same target but with different port ranges in the options

4. Step Functions Execution

  • The producer invokes AWS Step Functions, passing the list of partitioned scan targets
  • The workflow processes all partitions in parallel, enabling concurrent scanning of different port ranges

5. Queue Population

  • For each partition, the EnqueueTask state sends a message to SQS
  • Each message contains the target address and Nmap options with its specific port range
  • The queue now contains multiple messages for the same target but different port ranges

6. ECS Task Launch

  • Step Functions triggers an ECS task for each partitioned SQS message
  • Each partition runs in its own container with the scanner image from ECR
  • All containers target the same host but scan different port ranges

7. Consumer Processing

  • Each container's consumer application:
    • Retrieves its assigned partition message from SQS
    • Unmarshals the JSON to extract the target and port-specific options
    • Executes Nmap with the specified port range parameters

8. Scan Execution

  • Each container runs Nmap on the same target but scans only its assigned port range
  • This distributes the scanning load and reduces the time needed for a complete scan

9. Result Persistence

  • Each container creates a ScanResult object with its partition results
  • Results are uploaded to S3 with keys that include the partition information

10. Task Completion

  • Each container completes its partition scan, uploads results, and terminates
  • Step Functions tracks completion of all partition scans

11. Error Handling

  • CloudWatch captures logs from the ECS tasks for troubleshooting
  • Automated retry mechanisms handle transient failures