-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnetwatch.py
More file actions
executable file
·2237 lines (1917 loc) · 93.5 KB
/
netwatch.py
File metadata and controls
executable file
·2237 lines (1917 loc) · 93.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/usr/bin/env python3
"""
NetWatch - Network EOL Scanner & Security Assessment Tool.
Main entry point for the NetWatch CLI application. Provides network discovery,
banner grabbing, and End-of-Life (EOL) status checking for discovered services.
Usage:
./netwatch.py Launch interactive menu
./netwatch.py --target <CIDR> Scan target directly
./netwatch.py --version Show version and exit
./netwatch.py --help Show help message
Author: NetWatch Team
License: MIT
Python: 3.9+
"""
import argparse
import json
import logging
import os
import shutil
import sys
import signal
import platform
import threading
from concurrent.futures import ThreadPoolExecutor, as_completed
from datetime import datetime
from pathlib import Path
from typing import List, Optional, Dict, Any
# Setup logger
logger = logging.getLogger(__name__)
# Add parent directory to path for imports
sys.path.insert(0, str(Path(__file__).parent))
from rich.console import Console
from rich.progress import Progress
from rich.prompt import Prompt, Confirm
from config.settings import Settings, SCAN_DESCRIPTIONS
from core.scanner import NetworkScanner, ScanResult
from core.port_scanner import PortScanOrchestrator
from core.banner_grabber import BannerGrabber
from core.http_fingerprinter import HttpFingerprinter
from core.nse_scanner import NSEScanner
from core.auth_tester import AuthTester, AuthConfidence
from core.network_utils import get_local_subnet, validate_cidr
from core.findings import FindingRegistry, Finding, Severity
from core.cache_manager import UnifiedCacheManager
from core.cve_checker import CVEChecker, CVECacheBuilder
from core.ssl_checker import run_ssl_checks, get_last_ja3s_match
from core.web_checker import run_web_checks
from core.dns_checker import run_dns_checks
from core.upnp_checker import run_upnp_checks
from core.ftp_checker import run_ftp_checks
from core.ssh_checker import run_ssh_checks
from core.snmp_checker import run_snmp_checks, get_last_sysdescr, parse_sysdescr, SNMP_PORT
from core.smb_checker import run_smb_checks
from core.mdns_checker import run_mdns_discovery
from core.arp_checker import run_arp_checks
from core.baseline import BaselineManager
from core.risk_scorer import RiskScorer
from core.scan_history import ScanHistory
from core.update_manager import UpdateManager
from core.module_manager import ModuleManager, MODULE_REGISTRY
from eol.checker import EOLChecker, EOLStatus, EOLStatusLevel
from eol.cache import CacheManager
from ui.menu import Menu
from ui.display import Display
from ui.export import ReportExporter
def setup_logging(verbose: bool = False) -> None:
"""Configure logging for the application.
Args:
verbose: Enable debug logging if True
"""
level = logging.DEBUG if verbose else logging.WARNING
logging.basicConfig(
level=level,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
handlers=[logging.StreamHandler(sys.stderr)]
)
def check_privileges() -> bool:
"""Check if running with root/admin privileges.
Returns:
True if running with elevated privileges
"""
try:
if platform.system() == 'Windows':
import ctypes
return ctypes.windll.shell32.IsUserAnAdmin() != 0
else:
return os.geteuid() == 0
except Exception:
return False
def check_scan_readiness() -> List[str]:
"""Check whether required data and tools are available before scanning.
Returns a list of warning strings. Empty list means everything is ready.
This function never blocks — it only reports.
"""
warnings: List[str] = []
# 1. nmap on PATH
if not shutil.which("nmap"):
warnings.append("nmap not found — install it first: sudo apt install nmap")
# 2. EOL cache populated (product-slug JSON files in data/cache/)
cache_dir = Path(__file__).parent / "data" / "cache"
non_eol_names = {
"cache_meta.json", "modules.json", "cve_cache.json", "eol_cache.json",
"credentials_mini.json", "credentials_full.json",
"wappalyzer_mini.json", "wappalyzer_tech.json",
"ja3_signatures.json", "snmp_communities.json",
"camera_credentials.json",
}
has_eol_cache = False
if cache_dir.is_dir():
for f in cache_dir.glob("*.json"):
if f.name not in non_eol_names:
has_eol_cache = True
break
if not has_eol_cache:
warnings.append("EOL database empty — run: python3 netwatch.py --setup")
# 3. CVE cache populated
cve_path = cache_dir / "cve_cache.json"
if not cve_path.exists() or cve_path.stat().st_size <= 100:
warnings.append("CVE database empty — run: python3 netwatch.py --setup")
# 4. Default modules installed
try:
mm = ModuleManager()
missing = []
if not mm.is_installed("credentials-mini"):
missing.append("credentials-mini")
if not mm.is_installed("wappalyzer-mini"):
missing.append("wappalyzer-mini")
if missing:
warnings.append("Default modules not installed — run: python3 netwatch.py --setup")
except Exception:
warnings.append("Default modules not installed — run: python3 netwatch.py --setup")
return warnings
def _print_readiness_warnings(warnings: List[str]) -> None:
"""Print pre-scan readiness warnings in a visible box."""
if not warnings:
return
try:
console = Console()
console.print()
console.print("=" * 60)
console.print("[bold yellow]Pre-scan check: missing data detected[/bold yellow]")
console.print("-" * 60)
for w in warnings:
console.print(f" [yellow][!][/yellow] {w}")
console.print()
console.print(" Run [bold]'python3 netwatch.py --setup'[/bold] to fix all issues.")
console.print("=" * 60)
console.print()
except Exception:
# Fallback without Rich
print()
print("=" * 60)
print("Pre-scan check: missing data detected")
print("-" * 60)
for w in warnings:
print(f" [!] {w}")
print()
print(" Run 'python3 netwatch.py --setup' to fix all issues.")
print("=" * 60)
print()
def signal_handler(signum, frame):
"""Handle interrupt signals gracefully."""
print("\n\n[yellow]Scan cancelled.[/yellow]")
sys.exit(0)
class NetWatch:
"""Main NetWatch application controller.
Coordinates all components: scanning, banner grabbing, EOL checking,
and user interface.
Attributes:
settings: Application configuration
console: Rich console for output
display: Display handler for formatted output
menu: Interactive menu system
scanner: Network scanner instance
banner_grabber: Banner grabbing instance
eol_checker: EOL checking instance
cache: Cache manager for EOL data
last_scan_result: Most recent scan results
last_eol_data: Most recent EOL check results
"""
def __init__(self, args: argparse.Namespace):
"""Initialize NetWatch application.
Args:
args: Command line arguments
"""
self.settings = Settings()
self.console = Console(color_system=None if args.no_color else "auto")
self.display = Display(settings=self.settings, console=self.console, use_color=not args.no_color)
self.menu = Menu(settings=self.settings, console=self.console)
# Initialize components
self.scanner = PortScanOrchestrator(settings=self.settings)
self.banner_grabber = BannerGrabber(settings=self.settings)
self.nse_scanner = NSEScanner(settings=self.settings) if args.nse else None
self.auth_tester = AuthTester(settings=self.settings, enabled=args.check_defaults)
self.cache = CacheManager(settings=self.settings)
self.eol_checker = EOLChecker(cache=self.cache, settings=self.settings)
self.exporter = ReportExporter(settings=self.settings)
# New security modules
self.unified_cache = UnifiedCacheManager()
self.cve_checker = CVEChecker(self.unified_cache)
self.baseline_manager = BaselineManager()
self.finding_registry = FindingRegistry()
self.risk_scorer = RiskScorer()
self.scan_history = ScanHistory()
# Store results for recheck/export
self.last_scan_result: Optional[ScanResult] = None
self.last_eol_data: Dict[str, Dict[int, EOLStatus]] = {}
self.last_target: str = ""
self.nse_results: Dict[str, Any] = {}
self.auth_results: Dict[str, Any] = {}
self.last_risk_scores: Dict = {}
self._scan_lock = threading.Lock()
# CLI arguments
self.args = args
# Setup signal handlers
signal.signal(signal.SIGINT, signal_handler)
# Check privileges
self.has_privileges = check_privileges()
def run(self) -> int:
"""Run the main application loop.
Returns:
Exit code (0 for success)
"""
# Direct target scan mode
if self.args.target:
return self.direct_scan(self.args.target, self.args.profile or "QUICK")
# Show banner
self.display.show_banner()
# Check privileges
if not self.has_privileges:
self.display.show_warning("Running without root/admin privileges - some features may be limited")
# Main menu loop
while True:
try:
choice = self.menu.show_main_menu()
if choice == "1":
self.run_quick_scan()
elif choice == "2":
self.run_full_scan()
elif choice == "3":
self.run_stealth_scan()
elif choice == "4":
self._run_profile_scan("IOT")
elif choice == "5":
self._run_profile_scan("SMB")
elif choice == "6":
self._run_full_assessment_from_menu()
elif choice == "7":
self.run_custom_target()
elif choice == "8":
self.export_report()
elif choice == "9":
self._show_scan_history_menu()
elif choice == "m":
self._show_modules_menu()
elif choice == "s":
self.menu.show_settings()
elif choice == "h":
self.menu.show_help()
elif choice == "q":
self.console.print("\n[green]Goodbye![/green]")
return 0
except KeyboardInterrupt:
self.console.print("\n[yellow]Operation cancelled.[/yellow]")
except Exception as e:
logging.error(f"Error in main loop: {e}", exc_info=True)
self.display.show_error(str(e))
return 0
def direct_scan(self, target: str, profile: str) -> int:
"""Run a direct scan without menu.
Args:
target: Target to scan
profile: Scan profile to use
Returns:
Exit code
"""
self.display.show_banner()
if not self.has_privileges:
self.display.show_warning("Running without root/admin privileges")
# Validate target
is_valid, error = validate_cidr(target)
if not is_valid:
# Try as single IP or hostname
target = target # Keep as-is for nmap to handle
return self.perform_scan(target, profile)
def run_quick_scan(self) -> None:
"""Run a quick scan."""
target = self.get_target()
if not target:
return
if self.menu.confirm_scan("QUICK", target):
self.perform_scan(target, "QUICK")
def run_full_scan(self) -> None:
"""Run a full comprehensive scan."""
if not self.has_privileges:
self.display.show_warning("Full scan works best with root/admin privileges")
target = self.get_target()
if not target:
return
if self.menu.confirm_scan("FULL", target):
self.perform_scan(target, "FULL")
def run_stealth_scan(self) -> None:
"""Run a stealth SYN scan."""
if not self.has_privileges:
self.display.show_error("Stealth scan requires root/admin privileges")
return
target = self.get_target()
if not target:
return
if self.menu.confirm_scan("STEALTH", target):
self.perform_scan(target, "STEALTH")
def _run_profile_scan(self, profile: str) -> None:
"""Run a scan with the given profile."""
target = self.get_target()
if not target:
return
if self.menu.confirm_scan(profile, target):
self.perform_scan(target, profile)
def _run_full_assessment_from_menu(self) -> None:
"""Run full assessment from menu (prompts for target)."""
target = self.get_target()
if not target:
return
self.console.print("[bold]Running Full Assessment...[/bold]")
self.run_full_assessment(target)
def _show_scan_history_menu(self) -> None:
"""Show scan history and diff options."""
from core.scan_history import ScanHistory
history = ScanHistory()
rows = history.history_table()
if not rows:
self.console.print("[yellow]No scan history found. Run a scan first.[/yellow]")
return
self.console.print(f"\n[bold]Scan History[/bold] ({len(rows)} scans)\n")
self.console.print(
f"{'Timestamp':<18} {'Target':<22} {'Profile':<8} "
f"{'Hosts':<6} {'C':>4} {'H':>4} {'M':>4} {'L':>4}"
)
self.console.print("-" * 75)
for r in rows:
self.console.print(
f"{r['timestamp']:<18} {r['target']:<22} {r['profile']:<8} "
f"{r['hosts']:<6} {r['critical']:>4} {r['high']:>4} "
f"{r['medium']:>4} {r['low']:>4}"
)
self.console.print()
if Confirm.ask("Show diff of last two scans?", default=False):
diff = history.diff_last_two()
if diff is None:
self.console.print("[yellow]Need at least two scans for a diff.[/yellow]")
else:
self.console.print(f"\nDiff: {diff.older_ts[:19]} -> {diff.newer_ts[:19]}")
for line in diff.summary_lines():
self.console.print(f" {line}")
Prompt.ask("\nPress ENTER to return to menu")
def _show_modules_menu(self) -> None:
"""Show data module status and offer downloads."""
from core.module_manager import ModuleManager
mm = ModuleManager()
mm.show_modules()
self.console.print()
if Confirm.ask("Download a module?", default=False):
name = Prompt.ask(
"Module name (or 'all')",
default="all"
)
if name.lower() == "all":
mm.download_all()
else:
mm.download(name)
Prompt.ask("\nPress ENTER to return to menu")
def run_custom_target(self) -> None:
"""Run scan on custom user-specified target."""
target = self.menu.prompt_target()
if not target:
return
from config.settings import SCAN_PROFILES
profiles = list(SCAN_PROFILES.keys())
self.console.print("\n[bold]Select scan profile:[/bold]")
for i, p in enumerate(profiles, 1):
self.console.print(f" [{i}] {p}")
profile_choice = input(f"Choice [1]: ").strip() or "1"
try:
profile = profiles[int(profile_choice) - 1]
except (ValueError, IndexError):
profile = "QUICK"
if self.menu.confirm_scan(profile, target):
self.perform_scan(target, profile)
def get_target(self) -> str:
"""Get scan target, using local subnet as default.
Returns:
Target string or empty string if cancelled
"""
default_target = get_local_subnet() or self.settings.default_target
return self.menu.prompt_target(default_target)
def perform_scan(self, target: str, profile: str) -> int:
"""Execute network scan and EOL checks.
Args:
target: Target to scan
profile: Scan profile to use
Returns:
Exit code
"""
try:
# Set up progress callback
with self.display.create_progress() as progress:
scan_task = progress.add_task(f"[cyan]Scanning {target}...", total=100)
def update_progress(msg: str, pct: float):
progress.update(scan_task, description=f"[cyan]{msg}", completed=pct)
self.scanner.set_progress_callback(update_progress)
# Perform scan
self.console.print(f"\n[bold blue]Starting {profile} scan on {target}...[/bold blue]")
scan_result = self.scanner.scan(target, profile)
progress.update(scan_task, completed=100)
# Store result
self.last_scan_result = scan_result
self.last_target = target
# Show basic results
self.display.show_scan_info(scan_result)
if not scan_result.hosts:
self.console.print("[yellow]No hosts found.[/yellow]")
return 0
# Grab banners for services with versions
self.grab_banners(scan_result)
# Run NSE scans if enabled
if self.nse_scanner:
self.run_nse_scans(scan_result)
# Check for default credentials if enabled
if self.auth_tester and self.auth_tester.enabled:
self.run_auth_tests(scan_result)
# Check EOL status
self.check_eol_status(scan_result)
# Run new security checks (SSL, web, DNS, UPnP, CVE, baseline)
self.run_security_checks(scan_result)
# Show results table
self.display.show_results_table(scan_result, self.last_eol_data)
# Show summary
stats = self.calculate_stats(scan_result, self.last_eol_data)
self.display.show_summary(stats)
# Print finding counts
counts = self.finding_registry.counts()
self.console.print(
f"\n[bold]Security findings:[/bold] "
f"[red]{counts['CRITICAL']} Critical[/red] "
f"[yellow]{counts['HIGH']} High[/yellow] "
f"[cyan]{counts['MEDIUM']} Medium[/cyan] "
f"[blue]{counts['LOW']} Low[/blue] "
f"[dim]{counts['INFO']} Info[/dim]"
)
# Compute risk scores
self.last_risk_scores = self.risk_scorer.score_all(self.finding_registry)
if self.last_risk_scores:
self.console.print("\n[bold]Device risk scores:[/bold]")
for ip, risk in self.last_risk_scores.items():
self.console.print(
f" {ip:<18} {risk.score:>3}/100 {risk.label}"
)
# Auto-save scan history
if getattr(self.settings, 'auto_save_history', True):
try:
self.scan_history.save(
scan_result, self.finding_registry, target=self.last_target
)
except Exception as e:
logger.debug(f"History save failed: {e}")
# Auto-save baseline if flag set
if getattr(self.args, 'save_baseline', False):
saved = self.baseline_manager.save_baseline_from_scan(
scan_result, network=self.last_target
)
if saved > 0:
self.display.show_success(f"Baseline saved: {saved} devices recorded")
else:
self.display.show_warning(
"Baseline saved but 0 devices recorded (no MAC addresses). "
"Run with root/sudo for MAC address detection: sudo python3 netwatch.py --save-baseline --target ..."
)
return 0
except Exception as e:
logging.error(f"Scan failed: {e}", exc_info=True)
self.display.show_error(f"Scan failed: {e}")
return 1
def grab_banners(self, scan_result: ScanResult) -> None:
"""Grab banners from discovered services.
Args:
scan_result: Scan results containing hosts and ports
"""
with self.display.create_progress() as progress:
total_ports = sum(len(h.ports) for h in scan_result.hosts.values())
banner_task = progress.add_task("[cyan]Grabbing banners...", total=total_ports)
for ip, host in scan_result.hosts.items():
if not host.ports:
continue
open_ports = [p.port for p in host.ports.values() if p.state == 'open']
if not open_ports:
continue
# Grab banners concurrently
banners = self.banner_grabber.grab_banners(ip, open_ports)
# Update port info with banner data
for port_num, banner_result in banners.items():
if port_num in host.ports:
host.ports[port_num].banner = banner_result.raw_banner
host.ports[port_num].http_fingerprint = banner_result.http_fingerprint
# Update service/version from banner if detected
if banner_result.parsed_name:
host.ports[port_num].service = banner_result.parsed_name
if banner_result.parsed_version:
host.ports[port_num].version = banner_result.parsed_version
# Log HTTP fingerprint info if found
if banner_result.http_fingerprint:
fp = banner_result.http_fingerprint
if fp.device_type or fp.firmware_version:
logger.info(f"HTTP fingerprint {ip}:{port_num}: "
f"{fp.device_type} {fp.model} "
f"Firmware: {fp.firmware_version}")
progress.update(banner_task, advance=len(open_ports))
def check_eol_status(self, scan_result: ScanResult) -> None:
"""Check EOL status for discovered services.
Args:
scan_result: Scan results
"""
self.last_eol_data = {}
with self.display.create_progress() as progress:
total_services = sum(
1 for h in scan_result.hosts.values()
for p in h.ports.values()
if p.service and p.service != 'unknown'
)
eol_task = progress.add_task("[cyan]Checking EOL status...", total=max(total_services, 1))
for ip, host in scan_result.hosts.items():
self.last_eol_data[ip] = {}
for port_num, port in host.ports.items():
if not port.service or port.service == 'unknown':
continue
# Skip EOL check when no version info is available — no version
# means we cannot match to an EOL cycle; skip avoids false UNKNOWNs.
has_version = bool(port.version and port.version.strip())
has_banner = bool(port.banner and port.banner.strip())
if not has_version and not has_banner:
progress.update(eol_task, advance=1)
continue
# Try banner first if available
if has_banner:
eol_status = self.eol_checker.check_banner(port.banner)
else:
# Use service name and version
eol_status = self.eol_checker.check_version(
port.service,
port.version or ""
)
# Only store the result if we actually identified a product.
# product="unknown" means the banner/service gave no useful info —
# these are N/A, not meaningful UNKNOWN EOL results.
if eol_status.product and eol_status.product != "unknown":
self.last_eol_data[ip][port_num] = eol_status
progress.update(eol_task, advance=1)
def run_nse_scans(self, scan_result: ScanResult) -> None:
"""Run NSE (Nmap Scripting Engine) scans on discovered hosts.
Args:
scan_result: Scan results containing hosts and ports
"""
if not self.nse_scanner:
return
print("Running NSE enhanced detection...")
for ip, host in scan_result.hosts.items():
if not host.ports:
continue
# Get list of open ports as string
open_ports = [str(p.port) for p in host.ports.values() if p.state == 'open']
if not open_ports:
continue
port_string = ",".join(open_ports)
try:
# Run NSE scan
nse_info = self.nse_scanner.scan_host(ip, ports=port_string)
self.nse_results[ip] = nse_info
# Update host info with NSE findings
if nse_info.os_guesses:
host.os_guess = nse_info.os_guesses[0]
# Update port info with NSE script results
for script_name, results in nse_info.nse_results.items():
for nse_result in results:
port_num = nse_result.port
if port_num and port_num in host.ports:
# Update service info if found
if script_name == "http-title" and nse_result.output:
# Store in http_fingerprint
if not host.ports[port_num].http_fingerprint:
from core.http_fingerprinter import HttpFingerprint
host.ports[port_num].http_fingerprint = HttpFingerprint(
host=ip, port=port_num
)
host.ports[port_num].http_fingerprint.raw_html = nse_result.output
elif script_name == "http-server-header" and nse_result.output:
# Update service version from server header
server = nse_result.output.strip()
if "/" in server:
name, version = server.split("/", 1)
host.ports[port_num].service = name.lower()
host.ports[port_num].version = version.split()[0]
logger.info(f"NSE scan completed for {ip}")
except Exception as e:
logger.error(f"NSE scan failed for {ip}: {e}")
def run_auth_tests(self, scan_result: ScanResult) -> None:
"""Check for default credentials on discovered services.
WARNING: Only runs if auth testing is explicitly enabled.
Args:
scan_result: Scan results containing hosts and ports
"""
if not self.auth_tester or not self.auth_tester.enabled:
return
print("WARNING: Testing default credentials (only test your own devices!)")
for ip, host in scan_result.hosts.items():
if not host.ports:
continue
# Detect device type from existing data
device_type = None
for port in host.ports.values():
if port.http_fingerprint and port.http_fingerprint.device_type:
device_type = port.http_fingerprint.device_type
break
if port.service:
# Try to identify from service name
service_lower = port.service.lower()
for brand in ["tp-link", "asus", "netgear", "linksys", "d-link", "ubiquiti", "mikrotik"]:
if brand in service_lower:
device_type = brand.replace("-", " ").title()
break
# Get open ports for testable services
open_ports = [p.port for p in host.ports.values() if p.state == 'open']
# Run auth tests
auth_results = self.auth_tester.check_all_services(
ip, open_ports, device_type
)
if auth_results:
self.auth_results[ip] = auth_results
# Generate and display report (only confirmed/likely findings)
report = self.auth_tester.generate_report(auth_results)
if report["vulnerable_services"]:
print(f"CRITICAL: {ip} has default credentials on ports: {report['vulnerable_services']}")
if report.get("suspected_services"):
print(f"LOW: {ip} — possible default credentials on ports (unconfirmed): {report['suspected_services']}")
def _arp_sweep(self, target: str) -> List[str]:
"""Send ARP requests to all hosts in target; return list of IP strings.
Uses the same Scapy pattern as core/arp_checker._get_arp_table().
Requires root. Any failure returns [].
"""
try:
from scapy.layers.l2 import ARP, Ether
from scapy.sendrecv import srp
import scapy.config
scapy.config.conf.verb = 0
arp_request = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=target)
answered, _ = srp(arp_request, timeout=3, verbose=False)
return [received.psrc for sent, received in answered]
except Exception:
return []
def _check_single_host(self, ip: str, host_info, scan_result: ScanResult) -> List[Finding]:
"""Run all per-host security checks for a single host; return findings.
Designed to be called from a ThreadPoolExecutor. All writes to shared
instance state (last_eol_data) are protected by self._scan_lock.
Findings are returned as a list; the caller adds them to the registry.
Internally runs 8 independent checkers in parallel using a nested
ThreadPoolExecutor. Two chain-dependent EOL pipelines (JA3S→EOL,
SNMP→EOL) execute immediately after their predecessor completes
via as_completed() callbacks.
"""
if host_info.state != "up":
return []
open_ports = [p.port for p in host_info.ports.values() if p.state == "open"]
all_findings: List[Finding] = []
# ---- Submit all independent checkers in parallel ----
with ThreadPoolExecutor(max_workers=8) as executor:
future_tags = {
executor.submit(_check_insecure_protocols, ip, open_ports): "protocols",
executor.submit(
run_ssl_checks, ip, open_ports,
timeout=self.settings.ssl_check_timeout,
): "ssl",
executor.submit(
run_web_checks, ip, open_ports,
timeout=self.settings.web_check_timeout,
): "web",
executor.submit(
run_ftp_checks, ip, open_ports,
timeout=self.settings.banner_timeout,
): "ftp",
executor.submit(run_ssh_checks, ip, open_ports): "ssh",
executor.submit(run_smb_checks, ip, open_ports): "smb",
executor.submit(run_snmp_checks, ip, open_ports): "snmp",
executor.submit(self._run_cve_checks, ip, host_info): "cve",
}
for future in as_completed(future_tags):
tag = future_tags[future]
try:
checker_findings = future.result()
if checker_findings:
all_findings.extend(checker_findings)
# Chain-dependent steps run immediately after predecessor
if tag == "ssl":
ja3s_findings = self._run_ja3s_eol_pipeline(ip, open_ports)
if ja3s_findings:
all_findings.extend(ja3s_findings)
elif tag == "snmp":
snmp_eol_findings = self._run_snmp_eol_pipeline(ip)
if snmp_eol_findings:
all_findings.extend(snmp_eol_findings)
except Exception as e:
logger.error(f"Checker '{tag}' failed for {ip}: {e}")
return all_findings
def _run_ja3s_eol_pipeline(self, ip: str, open_ports: List[int]) -> List[Finding]:
"""Run JA3S→EOL matching after SSL checker has populated the cache.
Reads get_last_ja3s_match() for each open port, parses the app name
into a product slug + version, and feeds it to the EOL checker.
Writes to self.last_eol_data under self._scan_lock.
"""
findings: List[Finding] = []
try:
for port in open_ports:
ja3s_match = get_last_ja3s_match(ip, port)
if ja3s_match:
app_name, app_desc = ja3s_match
parts = app_name.replace("/", " ").split()
if len(parts) >= 2:
product_slug = parts[0].lower()
version = parts[1]
eol_status = self.eol_checker.check_version(product_slug, version)
with self._scan_lock:
if ip not in self.last_eol_data:
self.last_eol_data[ip] = {}
self.last_eol_data[ip][port] = eol_status
logger.info(
f"JA3S→EOL: {ip}:{port} {product_slug} {version} "
f"→ {eol_status.level.value}"
)
except Exception as e:
logger.debug(f"JA3S EOL pipeline error for {ip}: {e}")
return findings
def _run_snmp_eol_pipeline(self, ip: str) -> List[Finding]:
"""Run SNMP sysDescr→EOL matching after SNMP checker has populated the cache.
Reads get_last_sysdescr() for the host, parses firmware/OS info,
and feeds it to the EOL checker.
Writes to self.last_eol_data under self._scan_lock.
"""
findings: List[Finding] = []
try:
sysdescr = get_last_sysdescr(ip)
if sysdescr:
parsed = parse_sysdescr(sysdescr)
if parsed:
product_slug, version = parsed
eol_status = self.eol_checker.check_version(product_slug, version)
with self._scan_lock:
if ip not in self.last_eol_data:
self.last_eol_data[ip] = {}
self.last_eol_data[ip][SNMP_PORT] = eol_status
logger.info(
f"SNMP sysDescr EOL: {ip} {product_slug} {version} → {eol_status.level.value}"
)
except Exception as e:
logger.debug(f"SNMP sysDescr EOL pipeline error for {ip}: {e}")
return findings
def _run_cve_checks(self, ip: str, host_info) -> List[Finding]:
"""Run CVE lookup for each detected service version on a host."""
findings: List[Finding] = []
for port_num, port in host_info.ports.items():
if port.service and port.version:
try:
cve_findings = self.cve_checker.check(
host=ip,
product=port.service,
version=port.version,
port=port.port,
protocol=port.protocol,
)
findings.extend(cve_findings)
except Exception as e:
logger.debug(f"CVE check error {ip}:{port_num}: {e}")
return findings
def run_security_checks(self, scan_result: ScanResult) -> FindingRegistry:
"""Run all new security checks and collect findings.
This runs after the existing scan pipeline (banners, NSE, auth tests,
EOL checks are already done). Results are added to self.finding_registry.
New checks:
- SSL/TLS certificate analysis
- Web interface security (headers, admin paths, HTTP login forms)
- DNS hijack detection
- UPnP exposure
- CVE correlation for detected service versions
- EOL results converted to findings
- Baseline comparison (rogue device detection)
- Insecure protocol detection (Telnet, FTP, SNMP, etc.)
- Auth test results converted to CRITICAL findings
Returns:
The populated FindingRegistry.
"""
self.finding_registry.clear()
# --- Print cache warnings (non-blocking) ---
for warning in self.unified_cache.stale_warnings():
self.console.print(f"[yellow]WARNING: {warning}[/yellow]")
with self.display.create_progress() as progress:
task = progress.add_task("[cyan]Running security checks...", total=None)
# ---- Per-host checks run in parallel ----
progress.update(task, description="[cyan]Running per-host security checks in parallel...")
futures: Dict[Any, str] = {}
with ThreadPoolExecutor(max_workers=self.settings.scan_worker_threads) as executor:
for ip, host_info in scan_result.hosts.items():
future = executor.submit(
self._check_single_host, ip, host_info, scan_result)
futures[future] = ip
all_findings: List[Finding] = []
for future in as_completed(futures):
ip = futures[future]
try:
host_findings = future.result()
all_findings.extend(host_findings)
self.console.print(f" [green]✓[/green] Checked {ip}")
except Exception as e:
logger.error(f"Security check failed for {ip}: {e}")
self.finding_registry.add_all(all_findings)
# ---- EOL results → Findings ----
progress.update(task, description="[cyan]Converting EOL results...")
self.finding_registry.add_all(
self._eol_to_findings(scan_result, self.last_eol_data)
)
# ---- Auth test results → CRITICAL findings ----
progress.update(task, description="[cyan]Processing auth results...")
self.finding_registry.add_all(
self._auth_to_findings(self.auth_results)
)
# ---- DNS hijack check ----
progress.update(task, description="[cyan]DNS security check...")
try:
dns_findings = run_dns_checks(local_network=self.last_target)
self.finding_registry.add_all(dns_findings)
except Exception as e:
logger.debug(f"DNS check error: {e}")