A comprehensive Go-based nmap scanner agent designed for cyber defense competitions. Features parallel scanning, UDP detection, vulnerability scripts, IP rotation, and automatic result caching.
- Features
- Prerequisites
- Installation
- Configuration
- Usage
- Enabling Parallel Mode
- Ports and Scripts
- Troubleshooting
- Parallel scanning - Run multiple scans concurrently with worker pool
- TCP + UDP - Comprehensive coverage including DNS, SNMP, TFTP
- 170+ ports - All common services, databases, web apps, Windows services
- NSE vulnerability scripts - Detect EternalBlue, Heartbleed, anonymous FTP, empty passwords
- OS detection - Identify operating systems
- Service version detection - Identify software versions
- Result caching - Never lose data if upload fails
- Automatic retry - Configurable retry attempts for uploads
- Cached result recovery - Automatically uploads cached results on startup
- Adaptive timing - Automatically slows down if hosts are missed
- IP rotation - Change source IP between scans (with runner.sh)
- Stealth mode - Optional decoy scanning
- Linux (tested on Ubuntu 22.04/24.04, Debian 12, Kali)
- Go 1.21 or later
# Check if installed
go version
# If not installed (Ubuntu/Debian):
wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc
source ~/.bashrc- nmap
# Ubuntu/Debian
sudo apt update && sudo apt install -y nmap
# Verify
nmap --version- Root access (required for SYN scans and IP rotation)
# Create directory
sudo mkdir -p /opt/nmap-agent
cd /opt
# Extract (assuming zip is in current directory)
sudo unzip nmap-agent-improved.zip
sudo mv nmap-agent-improved/* /opt/nmap-agent/
cd /opt/nmap-agent# Download dependencies
go mod tidy
# Build the binary
go build -o nmap-agent-improved
# Verify it built
ls -la nmap-agent-improved# Copy example config
cp env_example .env
# Edit configuration
nano .envMinimum required configuration in .env:
API_USER=scanner
API_PASS=your_secure_password
API_URL_BASE=http://YOUR_DASHBOARD_IP:8080Before the agent can connect, you need to create a user account on the dashboard:
- Log into the NMAP Dashboard as admin
- Go to Users page
- Click + Add User
- Fill in:
- Username:
scanner(or whatever you set in API_USER) - Password: (whatever you set in API_PASS)
- Roles: Enable Scanner checkbox
- Activate immediately: Yes
- Username:
- Click Create
# Run a single scan to test
sudo ./nmap-agent-improved
# You should see:
# [*] Authentication successful
# [+] Got job: xxx-xxx (range: 10.x.x.x/24, team: Team Name)
# [*] Starting TCP scan...
# ...# Make runner executable
chmod +x runner.sh
# Run with IP rotation
sudo ./runner.sh
# Or run with parallel mode AND IP rotation
sudo PARALLEL_MODE=true ./runner.sh| Variable | Description | Example |
|---|---|---|
API_USER |
Scanner username | scanner |
API_PASS |
Scanner password | SecurePass123 |
API_URL_BASE |
Dashboard URL (no trailing slash) | http://10.255.252.10:8080 |
| Variable | Default | Description |
|---|---|---|
SCAN_TIMEOUT |
10 |
Minutes before scan times out |
ENABLE_UDP |
true |
Scan UDP ports (DNS, SNMP, etc.) |
ENABLE_SCRIPTS |
true |
Run NSE vulnerability scripts |
STEALTH_MODE |
false |
Use decoy IPs |
ADAPTIVE_TIMING |
true |
Retry slower if few hosts found |
| Variable | Default | Description |
|---|---|---|
MAX_PARALLEL |
3 |
Number of concurrent scans |
| Variable | Default | Description |
|---|---|---|
RETRY_ATTEMPTS |
3 |
Times to retry failed uploads |
RETRY_DELAY |
5 |
Seconds between retry attempts |
CACHE_DIR |
/tmp/nmap-agent-cache |
Where to cache results |
| Variable | Default | Description |
|---|---|---|
INTERFACE |
eth0 |
Network interface for IP rotation |
GATEWAY |
10.255.252.254 |
Default gateway |
PARALLEL_MODE |
false |
Enable parallel scanning |
SLEEP_BETWEEN_SCANS |
0 |
Seconds to wait between scans |
LOG_FILE |
/var/log/nmap-agent-rotation.log |
Log file path |
Run one scan and exit. Good for testing.
sudo ./nmap-agent-improvedProcess all available jobs using a worker pool. Scans multiple teams simultaneously.
sudo ./nmap-agent-improved -pRun scans continuously without IP rotation.
sudo ./nmap-agent-improved -cThe runner.sh script handles continuous scanning with IP rotation between each scan.
# Single scan mode with IP rotation
sudo ./runner.sh
# Parallel mode with IP rotation (RECOMMENDED)
sudo PARALLEL_MODE=true ./runner.sh./nmap-agent-improved -hThere are three ways to enable parallel scanning:
sudo PARALLEL_MODE=true ./runner.shChange line 11 from:
PARALLEL_MODE="${PARALLEL_MODE:-false}"To:
PARALLEL_MODE="${PARALLEL_MODE:-true}"# Without IP rotation
sudo ./nmap-agent-improved -p
# With IP rotation (manual)
sudo ./nmap-agent-improved -p && rotate_ip.sh- Standard: 21, 22, 23, 25, 53, 80, 110, 135, 139, 143, 443, 445
- Email: 465, 587, 993, 995
- Databases: 1433, 1521, 3306, 5432, 6379, 27017, 9042, 9200
- Remote Access: 3389, 5900-5902, 5985-5986
- Web/Apps: 8080, 8443, 8000, 8888, 9000, 9090, 10000
- Windows/AD: 88, 389, 464, 636, 3268, 3269
- Containers: 2375, 2376, 6443, 10250
- 53 (DNS), 67-68 (DHCP), 69 (TFTP), 123 (NTP)
- 161-162 (SNMP), 500 (IKE), 514 (Syslog)
- 1194 (OpenVPN), 1812-1813 (RADIUS)
| Script | Detects |
|---|---|
ftp-anon |
Anonymous FTP access |
mysql-empty-password |
Empty MySQL root password |
ms-sql-empty-password |
Empty MSSQL sa password |
redis-info |
Unauthenticated Redis |
mongodb-databases |
Unauthenticated MongoDB |
smb-vuln-ms17-010 |
EternalBlue vulnerability |
smb-vuln-ms08-067 |
Conficker vulnerability |
ssl-heartbleed |
Heartbleed vulnerability |
http-shellshock |
Shellshock vulnerability |
- Check that teams exist in the dashboard with valid IP ranges
- Verify the scanner user has the "scanner" role
- Check the Jobs page to see if jobs are being created
- Verify credentials in
.envmatch the dashboard user - Check that the user is active in the dashboard
- Ensure
API_URL_BASEis correct (no trailing slash) - Test connectivity:
curl http://DASHBOARD_IP:8080/health
- Ensure nmap is installed:
which nmap - Verify you're running as root
- Check if the target network is reachable:
ping 10.1.1.1 - Try increasing
SCAN_TIMEOUT=15 - Try disabling UDP:
ENABLE_UDP=false
- Check the agent's output for errors
- Verify the job shows as "complete" in the Jobs page
- Check for cached results:
ls /tmp/nmap-agent-cache/ - Check dashboard server logs
- Disable UDP:
ENABLE_UDP=false - Disable scripts:
ENABLE_SCRIPTS=false - Increase parallel workers:
MAX_PARALLEL=5
- Verify running as root
- Check interface name:
ip link show - Verify gateway is correct for your network
- Check logs:
tail -f /var/log/nmap-agent-rotation.log
_ _ __ __ _____ _
| \ | | \/ | /\ | __ \ /\ | |
| \| | \ / | / \ | |__) | / \ __ _ ___ _ __ | |_
...
[*] Configuration:
API URL: http://10.255.252.10:8080
Max Parallel: 3
Scan Timeout: 10 min
UDP Scanning: true
NSE Scripts: true
[*] Authentication successful
[+] Got job: abc-123 (range: 10.1.1.0/24, team: Team Alpha)
[*] Starting TCP scan...
[*] Starting UDP scan...
[+] Scan complete: 7 hosts, 42 open ports in 124.5s
10.1.1.1 (Windows Server 2019): 22/tcp, 135/tcp, 445/tcp, 3389/tcp
[!] VULN 10.1.1.1:445 - smb-vuln-ms17-010: VULNERABLE
10.1.1.10 (Ubuntu 20.04): 22/tcp, 80/tcp, 3306/tcp
[!] VULN 10.1.1.10:3306 - mysql-empty-password: root has empty password
[+] Results uploaded successfully
[*] === Session Statistics ===
Runtime: 2m15s
Total Scans: 1
Successful: 1
Hosts Found: 7
Ports Found: 42
BSD 2-Clause License