Skip to content

Scanning your external attack surface with Ostorlab Open-Source Scanner

Agent Builder

External attack surface is often the first vulnerable layer of any organization. An attacker on the other side of the world can wreak havoc and cause considerable damage if your internet facing infrastructure is not secure.

Checking the vulnerability of your attack surface is however be time and energy consuming. It requires keeping up with the latest risks, maintaining an up-to-date inventory and proper tooling.

While the open-source community provide several tool to help with the task, one might is often quickly overwhelmed with the sheer and often the not so optimal user-experience.

The journey starts by installing these tools one by one, each requiring specific dependencies and environments with sometimes very long configuration steps.

Options are not often explicit and understanding the concept and terminology of each is always a daunting task.

Once you are set up, begins a swarm of output formats and risk rating.

Thankfully Ostorlab is here to help and make the task of using the best tooling of what the open-source community has to offer simple, coherent and even fun.

But before we dig into Ostorlab’s capabilities, let's go over some of the best open-source network security scanning tools:

Nmap: “Free and open source tool for network discovery and security auditing.”. It’s known for being fast and flexible, can scan individual IPs, ranges and full subnets and comes with a variety of features.

Nuclei: “Fast and customizable vulnerability scanner”. Based on yaml DSL (domain specific language).The DSL has a human-readable format, with rich templates for the detection of vulnerabilities.

Tsunami: “A general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.“. Tsunami scanner focuses on detecting RCE-like vulnerabilities with high confidence and minimal false-positive rate.

Openvas: “A full-featured vulnerability scanner.“ is a free open-source scanner backed by a large knowledge base of vulnerabilities and CVEs. It is a fork of the then open-source Nessus Security Scanner.


Running each separately and combining results is not the most straight forward experience. Each is built in different languages, making sure you have the latest version with the latest detection rules is not always easy.

Ostorlab simplifies the task with very few commands and little requirements.


To install ostorlab, the only requirement is to have Docker installed and the Python package manager (pip). Simply run:

pip install -U ostorlab

Ostorlab is built to run on all operating system, from Linux, MacOS to Windows. Ostorlab will also check the docker access and alert you of any issues.

Ostorlab also maintains all the tools we mentioned on a dedicated store and handles updates and upgrades automatically.

Running a Scan

To perform a scan that targets an IP address with the open-source tools we listed OpenVas, Nmap, Tsunami and Nuclei, use the following command:

ostorlab scan run --install \
--agent  agent/ostorlab/nmap \
--agent agent/ostorlab/tsunami \
--agent agent/ostorlab/nuclei \
--agent agent/ostorlab/openvas \
ip <ip-address>

Ostorlab Scan Run command

To unpack the command:

--install: Will pull the listed the latest version of the agents from the ostorlab store and install them on your machine. Agents are nothing but container images and can easily deleted.

--agent : Specifies the agent to use. Other agents can be accessed on the store with you can find helpful documentation, a builder tool for agent group, more on that later on).

You can also add the --follow flag:

--follow : Enables following the agent logs.

ostorlab scan run \
--agent agent/ostorlab/nmap \
--agent agent/ostorlab/tsunami \
--follow agent/ostorlab/nmap \
ip <ip-address>

Monitoring Scan Progress

To display the progress of the scans, run the following command:

ostorlab scan list 

Once a scan has completed, you should see a Done in the progress column.

Access Vulnerabilities Details

To list identified vulnerabilities use the following command:

ostorlab vulnz list -s <scan-id>

And to access vulnerability details, use the describe option:

ostorlab vulnz describe -v <vuln-id>


Hopefully you can have appreciated that Ostorlab external attack surface less of headache. This is barely an introduction to what you can do with it as Ostorlab is built to support scanning all asset types and cover all vulnerability categories, from simple configuration issues, to web API scanning to running a full-blown dynamic analysis environment.

For more details on how to run your first scan, check out this tutorial, and for more information on how to build your first agent, you can also check out this tutorial.

If you are curious about all the new features part of Ostorlab open-source release, you can learn more in our blog post.