Thursday, January 10, 2013

Distributed Port Scanning: Creating an Nmap Cluster Using DNmap


When performing a security engagement, the information gathered from port scanning is crucial. However, these scans can take a substantial amount of time when we set a reasonable timeout in an attempt to be thorough. So what happens when we need to scan a large amount of hosts? Say, an entire continent? We need to find a way to distribute the bandwidth load to multiple hosts in parallel. Fortunately, a tool has been developed which will allow us to create and manage a cluster of hosts which each have its own bandwidth dedicated to port scanning.

What is DNmap?

Created by Sebastian Garcia in 2009 using the Twisted Python framework, DNmap provides the ability to create a distributed Nmap scanning network using a standard client-server architecture. DNmap is included by default in Backtrack, and can be installed easily on any system that has Python.

Note: Before you install and run DNmap, keep in mind that clients will execute any Nmap command given to them. DNmap was not designed to completely prevent abuse from the server host, so ensure that you trust the server you connect to!

Installing DNmap

DNmap requires Nmap, Python 2.7, and the following libraries to be installed:\

  • python-twisted
  • python-openssl
Though DNmap comes installed by default in Backtrack, here's how to install it in a Debian based system (in this case, Ubuntu):
From here, all files are in the dnmap_v0.6/ directory.

DNmap Usage and Example

The DNmap architecture looks like the following:

For our example, we will consider the following topology:

As with any client/server architecture, we first need to setup the server. Let's take a look at the usage:

As you can see, the server requires a file containing our Nmap commands to run. Let's use the following file called "commands.txt":
To show the ability to schedule multiple jobs, we add multiple Nmap commands to our file. Since we only have one target host, we are simply going to split up the port ranges between jobs. If we had more than one client in our cluster, these jobs would be distributed among the hosts, and it would be difficult for the target host administrator to tell that one attacker was behind the port scan.

So, with our Nmap commands file in place, let's start up the server:
With our server started up and waiting for clients, let's take a quick look at the usage:
It looks like all we need to provide is a server address, port number, and an alias (or name) for our client. Let's call our client "minion1", connect to the server, and start running commands.
Back on the server, we see the following status:
It looks like all of the commands have completed. The results by default are stored in a folder called nmap_results/. We can see that the results have indeed been sent back to our server.

Hopefully this short tutorial helped show the usage and helpfulness of distributing Nmap commands across multiple clients using DNmap. It's also important to note that you can always create multiple servers to host multiple clients.

A big thanks goes out to Sebastian for taking the time to create such a helpful tool. As always, if you ever have any questions or comments, let me know below!

- Jordan


  1. Hi Jordan! Thanks a lot for the article, I'm glad your like the tool. And I really like your logo! Where did it came from? It is really cool.
    Thanks a lot
    sebas garcia

    1. Hey Sebastian, thanks for the comment!

      I'm glad you enjoyed the article! I actually created the logo for the purposes of the article. Feel free to use it/modify it as you'd like!

  2. Yes I like it! Now you can find it on and in . Thanks a lot for letting me use it.

  3. Great information about port scanner! I was looking for something like this and I am so glad that I finally found it.Thanks for sharing your information.Here is another website where exactly i got all tools which are really help to me to know the status of my website.Thanks
    port scanner