WingSpan Agent Scanner
WingSpan is Hawkra's built-in network reconnaissance tool. It performs comprehensive network scanning using Nmap to discover hosts, open ports, running services, and operating systems across your target networks. Scan results automatically create and update assets and ports within your workspace, keeping your inventory current without manual data entry.
How It Works
WingSpan executes Nmap scans against the targets defined in a network's CIDR range. When you start a scan, Hawkra creates a background scan job that runs the appropriate Nmap commands based on your selected profile and configuration. As the scan progresses, results stream back in real time via WebSocket, and discovered hosts and services are automatically created as assets and ports in your workspace.
Each scan runs asynchronously, so you can continue working in Hawkra while the scan executes. Progress updates include the current percentage complete and which host is being scanned.
Scan Profiles
WingSpan provides five built-in scan profiles, each tailored to different reconnaissance needs:
| Profile | Description | Best For |
|---|---|---|
| Quick | Fast scan of the most common ports. Minimal probing for speed. | Initial reconnaissance, large networks, time-constrained assessments. |
| FullTcp | Scans all 65,535 TCP ports on each target. | Thorough port discovery when you need complete coverage. |
| ServiceDetection | Probes open ports to identify the service name and version running on each. | Understanding what software is exposed and finding version-specific vulnerabilities. |
| OsDetection | Uses TCP/IP fingerprinting to identify the operating system of each host. | Asset inventory enrichment, identifying unpatched or end-of-life operating systems. |
| Comprehensive | Combines full port scanning, service detection, OS detection, and NSE scripts. | Full security assessments where maximum detail is required. |
Configuration Options
Beyond selecting a profile, WingSpan offers fine-grained control over how scans are executed.
Port Ranges
You can specify exactly which ports to scan:
- Top 100 -- The 100 most commonly used ports (fast).
- Top 1000 -- The 1,000 most commonly used ports (default for most profiles).
- All Ports -- All 65,535 TCP ports (thorough but slow).
- Custom Range -- Specify your own range, such as
22,80,443,8000-9000.
NSE Script Presets
Nmap Scripting Engine (NSE) scripts extend scanning with additional checks. WingSpan supports four presets:
| Preset | Scripts Included | Use Case |
|---|---|---|
| None | No scripts run. | Pure port/service discovery without additional probing. |
| DefaultOnly | Nmap's default category scripts. | Standard enumeration (banners, common info leaks). |
| DefaultVulnAuth | default, vuln, and auth category scripts. | Vulnerability detection and authentication testing. |
| DefaultVulnSafeAuth | default, vuln, safe, and auth category scripts. | Comprehensive but non-destructive vulnerability and auth testing. |
Timing Templates
Timing templates control how aggressively Nmap sends probes. Lower values are slower but stealthier; higher values are faster but noisier.
| Template | Name | Description |
|---|---|---|
| T0 | Paranoid | Extremely slow. Serialized probes with 5-minute waits. For IDS evasion. |
| T1 | Sneaky | Very slow. 15-second probe intervals. Low chance of detection. |
| T2 | Polite | Slower than normal. Reduces bandwidth usage and target load. |
| T3 | Normal | Default Nmap timing. Balanced between speed and reliability. |
| T4 | Aggressive | Faster scans with shorter timeouts. Good for responsive networks. (WingSpan default) |
| T5 | Insane | Maximum speed. May miss results on slow or lossy networks. |
Advanced Options
- Skip Ping Discovery -- Treat all targets as online without first pinging them. Useful when ICMP is blocked by firewalls.
- Service Name Detection -- Enabled by default. Probes open ports to determine the running service.
- OS Version Detection -- Uses TCP/IP stack fingerprinting to identify the target's operating system.
- Host Timeout -- Maximum time to spend on a single host before moving on (default: 3600 seconds).
- Script Timeout -- Maximum time to allow NSE scripts to run per host (default: 300 seconds).
- Host Exclusions -- A list of IP addresses or ranges to skip during the scan, even if they fall within the network CIDR.
- Custom Port Range -- Override the default port selection with a specific list or range.
Workflow
- Navigate to a workspace and open the Scan tab.
- Select the network you want to scan (the scan will target the network's CIDR range).
- Choose a scan profile that matches your objectives.
- Adjust configuration options if needed (port range, timing, scripts, exclusions).
- Click Start Scan to create the scan job.
- Monitor real-time progress -- the interface shows the current host being scanned and the overall percentage.
- Once the scan completes, review the results. New assets and ports are automatically added to the network.
Scan States
Every scan job passes through a defined lifecycle:
Pending --> Running --> Completed
\--> Failed
\--> Cancelled
| State | Meaning |
|---|---|
| Pending | The scan job has been created and is queued for execution. |
| Running | Nmap is actively scanning targets. Progress updates are streamed. |
| Completed | The scan finished successfully. All discovered hosts and services have been imported. |
| Failed | The scan encountered an error. Check the error message for details. |
| Cancelled | The scan was manually cancelled by a user before completion. |
Auto-Creation of Assets and Ports
When a scan completes, WingSpan automatically:
- Creates new assets for any hosts discovered that do not already exist in the network.
- Updates existing assets with new information (OS details, MAC addresses) if they are already present.
- Creates port records for each open port found on each asset, including service name, version, and protocol.
The scan results summary shows exactly how many assets and ports were created or updated.
Cancelling a Scan
You can cancel any scan that is in Pending or Running state. Cancelling a running scan stops the Nmap process and marks the job as Cancelled. Any hosts and ports discovered before cancellation are still saved.
To delete a scan record from the history, the scan must first be in a terminal state (Completed, Failed, or Cancelled). Pending and running scans cannot be deleted -- cancel them first.
Real-Time Progress
WingSpan uses WebSocket connections to push scan progress to the browser in real time. While a scan is running, you can see:
- The overall progress percentage.
- Which host is currently being scanned.
- Counts of assets created and updated as they happen.
You do not need to refresh the page to see updates.
For large networks, start with a Quick scan to get an overview of live hosts, then follow up with a ServiceDetection or Comprehensive scan on specific subnets of interest.
Creating and cancelling scans requires the EditAssets permission. Viewing scan history and results requires ViewAssets.
Using T5 (Insane) timing on slow or unreliable networks can cause missed results due to timeouts. For production networks, T3 (Normal) or T4 (Aggressive) provide a good balance between speed and accuracy.