WingSpan Agent Scanner
WingSpan is Hawkra's built-in network reconnaissance tool. It performs comprehensive network scanning using Nmap to discover hosts, open ports, running services, and operating systems across your target networks. Scan results automatically create and update assets and ports within your workspace, keeping your inventory current without manual data entry.
How It Works
WingSpan executes Nmap scans against a network's CIDR range. Results stream back in real time, and discovered hosts and services are automatically created as assets and ports in your workspace.
Scan Profiles
WingSpan provides five built-in scan profiles, each tailored to different reconnaissance needs:
| Profile | Description |
|---|---|
| Quick | Fast scan of the most common ports. Minimal probing for speed. |
| FullTcp | Scans all 65,535 TCP ports on each target. |
| ServiceDetection | Probes open ports to identify service name and version. |
| OsDetection | TCP/IP fingerprinting to identify host operating systems. |
| Comprehensive | Full port scanning, service detection, OS detection, and NSE scripts. |
Configuration Options
Beyond selecting a profile, WingSpan offers fine-grained control over how scans are executed.
Port Ranges
You can specify exactly which ports to scan:
- Top 100 -- The 100 most commonly used ports (fast).
- Top 1000 -- The 1,000 most commonly used ports (default for most profiles).
- All Ports -- All 65,535 TCP ports (thorough but slow).
- Custom Range -- Specify your own range, such as
22,80,443,8000-9000.
NSE Script Presets
Nmap Scripting Engine (NSE) scripts extend scanning with additional checks. WingSpan supports four presets:
| Preset | Scripts Included | Use Case |
|---|---|---|
| None | No scripts run. | Pure port/service discovery without additional probing. |
| DefaultOnly | Nmap's default category scripts. | Standard enumeration (banners, common info leaks). |
| DefaultVulnAuth | default, vuln, and auth category scripts. | Vulnerability detection and authentication testing. |
| DefaultVulnSafeAuth | default, vuln, safe, and auth category scripts. | Comprehensive but non-destructive vulnerability and auth testing. |
Timing Templates
Timing templates control how aggressively Nmap sends probes. Lower values are slower but stealthier; higher values are faster but noisier.
| Template | Name | Description |
|---|---|---|
| T0 | Paranoid | Extremely slow. Serialized probes with 5-minute waits. For IDS evasion. |
| T1 | Sneaky | Very slow. 15-second probe intervals. Low chance of detection. |
| T2 | Polite | Slower than normal. Reduces bandwidth usage and target load. |
| T3 | Normal | Default Nmap timing. Balanced between speed and reliability. |
| T4 | Aggressive | Faster scans with shorter timeouts. Good for responsive networks. (WingSpan default) |
| T5 | Insane | Maximum speed. May miss results on slow or lossy networks. |
Advanced Options
- Skip Ping Discovery -- Treat all targets as online. Use when ICMP is blocked.
- Service Name Detection -- Probe open ports for service identification. Enabled by default.
- OS Version Detection -- TCP/IP stack fingerprinting.
- Host Timeout -- Per-host time limit (default: 3600s).
- Script Timeout -- Per-host NSE script time limit (default: 300s).
- Host Exclusions -- IPs or ranges to skip within the network CIDR.
- Custom Port Range -- Override default port selection.
Workflow
- Navigate to a workspace and open the Scan tab.
- Select the network you want to scan (the scan will target the network's CIDR range).
- Choose a scan profile that matches your objectives.
- Adjust configuration options if needed (port range, timing, scripts, exclusions).
- Click Start Scan to create the scan job.
- Monitor real-time progress -- the interface shows the current host being scanned and the overall percentage.
- Once the scan completes, review the results. New assets and ports are automatically added to the network.
Scan States
Every scan job passes through a defined lifecycle:
Pending --> Running --> Completed
\--> Failed
\--> Cancelled
| State | Meaning |
|---|---|
| Pending | The scan job has been created and is queued for execution. |
| Running | Nmap is actively scanning targets. Progress updates are streamed. |
| Completed | The scan finished successfully. All discovered hosts and services have been imported. |
| Failed | The scan encountered an error. Check the error message for details. |
| Cancelled | The scan was manually cancelled by a user before completion. |
Auto-Creation of Assets and Ports
When a scan completes, WingSpan automatically:
- Creates new assets for any hosts discovered that do not already exist in the network.
- Updates existing assets with new information (OS details, MAC addresses) if they are already present.
- Creates port records for each open port found on each asset, including service name, version, and protocol.
The scan results summary shows exactly how many assets and ports were created or updated.
Cancelling a Scan
You can cancel any scan that is in Pending or Running state. Cancelling a running scan stops the Nmap process and marks the job as Cancelled. Any hosts and ports discovered before cancellation are still saved.
To delete a scan record from the history, the scan must first be in a terminal state (Completed, Failed, or Cancelled). Pending and running scans cannot be deleted -- cancel them first.
Real-Time Progress
WingSpan uses WebSocket connections to push scan progress to the browser in real time. While a scan is running, you can see:
- The overall progress percentage.
- Which host is currently being scanned.
- Counts of assets created and updated as they happen.
You do not need to refresh the page to see updates.