This tool is intended for EDUCATIONAL and DEFENSIVE security purposes only.
AUTHORIZED USE ONLY:
- β Scan networks YOU own
- β Test with explicit written permission
- β Security audits of your own infrastructure
- β DO NOT scan networks without authorization
- β Unauthorized scanning may violate laws (Computer Fraud and Abuse Act, etc.)
By using this tool, you agree:
- You have legal authorization to scan the target network
- You accept full responsibility for your actions
- The author is not liable for misuse
Professional-grade network reconnaissance and vulnerability assessment tool for defensive security operations.
β
Host Discovery - Ping sweep to find active devices
β
Port Scanning - Identify open ports on each host
β
Service Detection - Determine running services
β
OS Fingerprinting - Educated guesses based on service signatures
β
Vulnerability Assessment - Identify common security issues
β
Risk Scoring - Automatic risk level classification
β
MAC Address Resolution - Device vendor identification
β
Comprehensive Reports - Text or JSON output
β
Mitigation Guidance - Actionable security recommendations
# Python 3.6+
python3 --version
# Optional tools for enhanced functionality:
sudo apt install fping arp-scan # Debian/Ubuntu
brew install fping arp-scan # macOS# Clone repository
git clone https://github.com/lexcellent/network-security-scanner.git
cd network-security-scanner
# Make executable
chmod +x scanner.py
# No dependencies! Pure Python stdlib# Scan your local network
./scanner.py 192.168.1.0/24Output:
[*] Performing ping sweep on 192.168.1.0/24...
[+] Found 8 active hosts
[*] Scanning 8 hosts for open ports and services...
[*] Scanning 192.168.1.1...
[*] Scanning 192.168.1.10...
...
./scanner.py 192.168.1.0/24 --output security-report.txt./scanner.py 192.168.1.0/24 --format json --output report.json./scanner.py 192.168.1.0/24 --timeout 1# Scan only 192.168.1.100-199
./scanner.py 192.168.1.100/26============================================================
NETWORK SECURITY ASSESSMENT REPORT
============================================================
Scan Date: 2026-04-05 10:53:21
Network: 192.168.1.0/24
Total Hosts Discovered: 8
============================================================
RISK SUMMARY:
Critical: 0
High: 2
Medium: 3
Low: 3
π HOST #1: 192.168.1.1
------------------------------------------------------------
Hostname: router.local
MAC Address: 00:11:22:33:44:55
Vendor: Ubiquiti Networks
OS Guess: Unknown
Risk Level: HIGH
Open Ports: 3
Services:
- 22/tcp: SSH
- 80/tcp: HTTP
- 443/tcp: HTTPS
β οΈ VULNERABILITIES:
- HTTP (port 80): Unencrypted web traffic - use HTTPS
π’ HOST #2: 192.168.1.10
------------------------------------------------------------
Hostname: umbrel.local
MAC Address: AA:BB:CC:DD:EE:FF
Vendor: Raspberry Pi Foundation
OS Guess: Linux/Unix (SSH, no SMB)
Risk Level: LOW
Open Ports: 2
Services:
- 22/tcp: SSH
- 443/tcp: HTTPS
...
============================================================
MITIGATION RECOMMENDATIONS
============================================================
π HIGH PRIORITY:
- Enable encryption for FTP (use SFTP/FTPS)
- Secure RDP with strong passwords + 2FA
- Configure authentication for Redis/MongoDB
π‘ MEDIUM PRIORITY:
- Enable HTTPS for all web services
- Review unnecessary open ports
- Implement firewall rules
GENERAL RECOMMENDATIONS:
1. Keep all software up-to-date
2. Use strong, unique passwords
3. Enable two-factor authentication where possible
4. Close unnecessary ports and services
5. Implement network segmentation
6. Regular security audits
7. Monitor logs for suspicious activity
============================================================
- Uses
fping(fast) or fallback to standardping - Checks each IP in CIDR range for ICMP responses
- Compiles list of active hosts
- TCP connect scan on common ports (21, 22, 23, 25, 80, 443, etc.)
- Non-intrusive (no SYN scans or aggressive methods)
- Timeout-based (default 2 seconds per port)
- Maps port numbers to known services
- Identifies HTTP, SSH, FTP, databases, etc.
- Heuristic-based OS guessing
- Based on service combinations (RDP = Windows, SSH only = Linux)
- Checks for unencrypted protocols (Telnet, FTP, HTTP)
- Identifies historically vulnerable services (SMB, RDP without 2FA)
- Flags misconfiguration-prone services (Redis, MongoDB)
- Critical: Telnet or extremely vulnerable services
- High: FTP, RDP, exposed databases
- Medium: HTTP without HTTPS, unnecessary ports
- Low: Properly secured services
- Telnet (port 23): Unencrypted remote access, passwords sent in plaintext
- Fix: Disable Telnet, use SSH (port 22)
-
FTP (port 21): Unencrypted file transfer
- Fix: Use SFTP (SSH File Transfer) or FTPS (FTP over TLS)
-
RDP (port 3389): Brute-force target, credential stuffing
- Fix: Strong passwords, 2FA, VPN access only
-
Redis (port 6379): Often exposed without authentication
- Fix: Bind to localhost, require password
-
MongoDB (port 27017): Historically exposed without auth
- Fix: Enable authentication, bind to localhost
-
SMB (port 445): EternalBlue, ransomware attacks
- Fix: Patch Windows, disable SMBv1
- HTTP (port 80): Unencrypted web traffic
- Fix: Redirect to HTTPS (443), use TLS certificates
# Scan your home network
./scanner.py 192.168.1.0/24 --output home-network-audit.txt
# Review report for:
# - Unknown devices (MAC address spoofing, unauthorized access)
# - Open ports you didn't expect
# - Services running by accident# Scan Umbrel server subnet
./scanner.py 10.21.21.0/24 --output umbrel-security.txt
# Look for:
# - Bitcoin/Lightning node exposure
# - Docker containers with open ports
# - Unnecessary services# Before going live, scan your server
./scanner.py <server-ip>/32
# Confirm:
# - Only necessary ports open
# - No critical vulnerabilities
# - Services properly configured# Find all smart home devices
./scanner.py 192.168.1.0/24 --format json > iot-devices.json
# Identify:
# - Smart cameras
# - Voice assistants
# - Smart locks
# - Potentially insecure devices- Python 3.6+
- Standard library only (no pip install needed)
fping- Faster ping sweepsarp-scan- MAC address vendor lookup (requires root/sudo)- Root/sudo - For ARP table access
Without optional tools:
- Scanner still works
- Slower ping sweep (standard ping)
- No MAC vendor identification
- β Discover active hosts
- β Identify open TCP ports
- β Detect common services
- β Flag obvious vulnerabilities
- β Provide mitigation advice
- β Exploit vulnerabilities (defensive only)
- β Crack passwords
- β Detailed version fingerprinting (no banner grabbing)
- β UDP scanning
- β Stealth scanning (SYN, ACK, etc.)
- β Replace professional tools (Nmap, Nessus, Metasploit)
For professional penetration testing: Use Nmap, OpenVAS, or commercial tools.
- Scan networks you own
- Get written permission before scanning others' networks
- Use for educational purposes
- Secure your own infrastructure
- Report vulnerabilities responsibly
- Scan networks without authorization
- Use for malicious purposes
- Exploit discovered vulnerabilities without permission
- Share discovered vulnerabilities publicly before responsible disclosure
- Assume you can "just test" someone else's network
- Nmap: More features, stealth scans, OS detection, NSE scripts
- This tool: Educational, simpler, no installation, pure Python
- Nessus: Commercial, CVE database, deep vulnerability scanning
- This tool: Free, basic checks, quick audits
- Metasploit: Exploitation framework, penetration testing
- This tool: Reconnaissance only, no exploitation
When to use this tool:
- Quick network audits
- Learning network security concepts
- Home/small network assessments
- Pre-deployment checks
When to use professional tools:
- Enterprise security audits
- Compliance requirements (PCI-DSS, SOC 2)
- Penetration testing engagements
- Detailed vulnerability analysis
- Cause: Firewall blocking ICMP, network unreachable
- Fix: Check network connectivity, try different subnet
- Cause: ARP table access requires root
- Fix: Run with sudo:
sudo ./scanner.py 192.168.1.0/24
- Cause: Default 2-second timeout per port
- Fix: Reduce timeout:
--timeout 1(may miss slower hosts)
- Cause: Optional tool not installed
- Fix: Install
fpingor use fallback (automatic)
Relevant Laws (varies by jurisdiction):
- USA: Computer Fraud and Abuse Act (CFAA)
- EU: GDPR, Network and Information Security Directive
- UK: Computer Misuse Act 1990
Key Principles:
- Authorization required before scanning
- "Just checking for vulnerabilities" is NOT a legal defense
- Even accidental scans of wrong networks can have consequences
Recommended reading:
- SANS Institute: "Laws and Ethics in Penetration Testing"
- OWASP: "Code of Ethics"
- EC-Council: "Ethical Hacking Guidelines"
Contributions welcome! Submit pull requests for:
- New vulnerability checks
- Additional service fingerprints
- Performance improvements
- Bug fixes
Guidelines:
- Maintain defensive/educational focus
- No exploitation code
- Document all changes
- Add tests if possible
MIT License - See LICENSE file
Educational Use Disclaimer: This tool is provided for educational purposes. Users are responsible for compliance with all applicable laws and regulations.
lexcellent - Self-hosting enthusiast | Network security learner
- UDP port scanning
- Service version detection (banner grabbing)
- Integration with CVE databases
- Historical scan comparison (detect changes)
- Automated scheduling (cron integration)
- Web dashboard for results
- Export to PDF reports
- Integration with SIEM tools
Scan responsibly. Learn ethically. Secure proactively. π‘οΈ