Skip to content

sedat4ras/Pentest-Toolbox-Python

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
data
data
 
 
reports
reports
 
 
scanner
scanner
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
port_scanner.py
port_scanner.py
 
 
port_scanner_v2.py
port_scanner_v2.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Pentest-Toolbox-Python

A multi-stage network security scanner that discovers open ports, grabs service banners, maps detected versions against known CVEs, and flags exposed services that should never be internet-facing — turning raw port data into actionable vulnerability intelligence.

Python Rich CVEs Tests License

Overview

Most port scanners stop at "port open / port closed." This tool goes four steps further — it identifies what service is running, what version, whether that version has known vulnerabilities, and whether the service should be exposed at all.

The scan pipeline runs in four phases:

Phase 1              Phase 2               Phase 3               Phase 4
PORT SCAN            BANNER GRAB           CVE MATCH             RISK ANALYSIS
────────────         ────────────          ────────────          ────────────
Threaded TCP    →    Protocol-aware   →    Version comparison  → Exposed service
connect scan         banner grabbing       against 14 real       risk detection
(100 threads)        (SSH, HTTP, FTP,      CVEs (CRITICAL/       (15 rules for
                      SMTP, MySQL)         HIGH/MEDIUM)          never-expose
                                                                  services)

Features

Feature Description
Threaded Scanning 100 concurrent threads via ThreadPoolExecutor — scans 1000 ports in seconds
Banner Grabbing Protocol-specific strategies for SSH, HTTP, FTP, SMTP, MySQL, and generic services
CVE Mapping 14 real-world CVEs (regreSSHion, Terrapin, HTTP smuggling, etc.) with version range matching
Exposed Service Risk Analysis 15 rules flagging services that should never be internet-facing (Redis, MongoDB, Memcached, Docker API, etc.)
Severity Rating CRITICAL / HIGH / MEDIUM / LOW classification with CVSS scores
Rich Terminal UI Colored tables, progress bars, and severity-highlighted output via Rich
JSON Reports Structured export for integration with dashboards and CI/CD pipelines
v1 Compatibility Original port_scanner.py preserved as lightweight alternative

Quick Start

git clone https://github.com/sedat4ras/Pentest-Toolbox-Python.git
cd Pentest-Toolbox-Python

pip install -r requirements.txt

# Full scan with banner grabbing, CVE matching, and risk analysis
python port_scanner_v2.py 192.168.1.1

# Custom port range with JSON report
python port_scanner_v2.py 10.0.0.1 -p 1-65535 -t 200 --json reports/scan.json

# Quick scan without banner grabbing
python port_scanner_v2.py 192.168.1.1 --no-banner

CLI Options

Option Default Description
target required Target IP address or hostname
-p, --ports 1-1000 Port range (e.g., 1-65535, 22,80,443)
-t, --threads 100 Number of concurrent scan threads
--timeout 0.5 Socket timeout in seconds
--json PATH Export JSON report to file
--no-banner Skip banner grabbing phase
--no-vuln Skip vulnerability matching phase
-v, --verbose Show raw banner data in output

CVE Database

The tool ships with 14 curated, high-impact CVEs:

Service CVE Severity Description
OpenSSH CVE-2024-6387 CRITICAL regreSSHion — unauthenticated RCE
OpenSSH CVE-2023-48795 MEDIUM Terrapin MITM downgrade attack
Apache CVE-2023-25690 CRITICAL HTTP request smuggling
nginx CVE-2023-44487 HIGH HTTP/2 Rapid Reset DoS
ProFTPD CVE-2021-33574 CRITICAL Unauthenticated RCE
MySQL CVE-2024-21096 MEDIUM mysqldump data leak
...and 8 more

The database is stored at data/vuln_db.json and can be extended with new entries.

Exposed Service Risk Analysis

Phase 4 flags services that should never be directly exposed to the internet. These misconfigurations are responsible for a large percentage of real-world data breaches.

Severity Service Port Risk
CRITICAL Telnet 23 Cleartext credential transmission
CRITICAL Redis 6379 No auth by default — arbitrary data access + RCE
CRITICAL MongoDB 27017 No auth by default — mass ransomware target
CRITICAL Memcached 11211 DDoS amplification vector (1.7 Tbps record)
CRITICAL Elasticsearch 9200, 9300 No auth — sensitive data leak + cluster manipulation
CRITICAL Kubernetes API 6443 Cluster takeover with misconfigured RBAC
CRITICAL Docker API 2375 Unauthenticated container creation = root shell
HIGH CouchDB 5984 Admin party mode — full database takeover
HIGH Cassandra 9042 Unrestricted CQL access to all keyspaces
HIGH MSSQL 1433 Brute-force target for known exploits
HIGH PostgreSQL 5432 Credential brute-force + data exfiltration
HIGH ZooKeeper 2181 No auth — coordination data manipulation
HIGH InfluxDB 8086 Unrestricted time-series data read/write
HIGH SMB 445 Ransomware vector (WannaCry, EternalBlue)

Each finding includes a specific remediation recommendation.

Project Structure

Pentest-Toolbox-Python/
├── port_scanner.py          # v1 — original lightweight scanner
├── port_scanner_v2.py       # v2.1 — CLI entry point (argparse)
├── scanner/
│   ├── models.py            # Dataclasses: PortResult, ServiceBanner, VulnMatch, ScanReport
│   ├── tcp_scanner.py       # Threaded TCP connect scanner
│   ├── banner_grabber.py    # Protocol-aware banner engine
│   ├── vuln_matcher.py      # Version comparison + CVE matching
│   ├── risk_analyzer.py     # Exposed service risk detection (15 rules)
│   └── output.py            # Rich terminal output + JSON export
├── data/
│   └── vuln_db.json         # Curated CVE database (14 entries)
├── tests/                   # 80 unit tests
├── reports/                 # Generated JSON reports
├── requirements.txt         # rich>=13.0.0
└── LICENSE

Banner Grabbing Strategies

Protocol Ports Strategy
SSH 22 Server speaks first — read initial version string
HTTP 80, 443, 8080 Send HEAD request, parse Server: header
FTP 21 Server sends 220 welcome banner
SMTP 25, 587 Server sends 220 greeting
MySQL 3306 Server sends greeting packet with version
Generic any Connect, send \r\n, read response

Running Tests

pip install pytest
python -m pytest tests/ -v

Changelog

v2.1.0

  • Added Phase 4: Exposed Service Risk Analysis with 15 rules
  • Flags services that should never be internet-facing (Redis, MongoDB, Docker API, etc.)
  • Remediation suggestions for each detected risk
  • Risk findings included in JSON export
  • 23 new unit tests (80 total)

v2.0.0

  • Complete rewrite with modular architecture
  • Service Banner Grabbing (SSH, HTTP, FTP, SMTP, MySQL)
  • CVE Vulnerability Mapping with 14 real-world CVEs
  • Rich terminal UI with colored severity tables
  • JSON report export
  • 57 unit tests

v1.0.0

  • Basic TCP connect port scanner

Disclaimer

This tool is developed for educational purposes and authorized security testing only. Always obtain explicit written permission before scanning any network or system that you do not own. Unauthorized scanning may violate local laws and regulations.

Contact

GitHub: sedat4ras | Email: sudo@sedataras.com

About

A Python-based network scanner featuring real-time port tracking.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages