███╗   ██╗███████╗████████╗██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗    ██████╗ ██████╗ ███████╗██████╗ 
████╗  ██║██╔════╝╚══██╔══╝██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝    ██╔══██╗██╔══██╗██╔════╝██╔══██╗
██╔██╗ ██║█████╗     ██║   ██║ █╗ ██║██║   ██║██████╔╝█████╔╝     ██████╔╝██████╔╝█████╗  ██║  ██║
██║╚██╗██║██╔══╝     ██║   ██║███╗██║██║   ██║██╔══██╗██╔═██╗     ██╔═══╝ ██╔══██╗██╔══╝  ██║  ██║
██║ ╚████║███████╗   ██║   ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗    ██║     ██║  ██║███████╗██████╔╝
╚═╝  ╚═══╝╚══════╝   ╚═╝    ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝    ╚═╝     ╚═╝  ╚═╝╚══════╝╚═════╝ 

🛡️ Advanced Network Penetration Testing Toolkit

Professional-grade network reconnaissance and SSH penetration testing framework with advanced evasion capabilities

🚀 Quick Start • 📖 Documentation • 🎯 Exploitation • 🛡️ Defense • ⚖️ Legal

---

⚠️ LEGAL DISCLAIMER

🔴 FOR AUTHORIZED TESTING ONLY

This tool is designed for educational purposes and authorized penetration testing only. Unauthorized access to computer systems is illegal and may result in criminal charges.

✅ Authorized Use:

• Your own systems and networks
• Systems with explicit written permission
• Educational lab environments
• Professional penetration testing engagements

❌ Unauthorized Use:

• Any system you don't own
• Public networks or infrastructure
• Corporate systems without permission
• Any malicious or harmful intent

By using this tool, you agree to take full responsibility for your actions and comply with all applicable laws.

---

🚀 Features

🌐 Network Reconnaissance & Discovery

• 🔍 Advanced Network Discovery: Intelligent ping sweeps with customizable timing
• 🔎 Multi-Protocol Port Scanning: TCP connect scanning with service fingerprinting
• 🎨 Banner Grabbing & Versioning: Automated service identification and version detection
• ⚡ Multi-Threading: High-performance concurrent scanning across multiple hosts
• 📊 Progress Tracking: Real-time scanning progress with ETA estimates

🔐 SSH Security Assessment Framework

• 🔍 Deep SSH Fingerprinting: Comprehensive SSH server analysis and version detection
• 🛡️ Configuration Auditing: Automated detection of SSH misconfigurations
• 📝 Vulnerability Database: CVE mapping and exploit availability checking
• 📈 Risk Assessment: Automated security scoring and prioritization
• 📄 Detailed Reporting: Professional-grade vulnerability assessment reports

🎯 Advanced SSH Exploitation Engine

💬 User Enumeration

• CVE-2018-15473: Timing-based username enumeration exploit
• Stealth Mode: Randomized delays and connection pacing to evade detection
• Custom Wordlists: Configurable username dictionaries
• Smart Analysis: Statistical timing analysis for accurate results

🔑 Credential Attack Framework

• Dictionary Attacks: High-performance brute force with custom wordlists
• Smart Brute Force: Intelligent credential combinations and common patterns
• Stealth Brute Force: Advanced evasion with randomized delays and IP rotation
• Session Management: Persistent attack sessions with resume capabilities
• Fail2ban Evasion: Adaptive timing to bypass intrusion detection systems

🛡️ Evasion & Anti-Detection

• Connection Rate Limiting: Configurable delays between attempts
• Randomized Timing: Variable delays to mimic human behavior
• Connection Pooling: Distributed attacks across multiple connections
• Error Handling: Graceful handling of defensive countermeasures

⚙️ Advanced Configuration System

• 📝 YAML Configuration: Flexible parameter management through config.yaml
• 🎯 Custom Port Lists: Configurable scanning profiles for different scenarios
• ⏱️ Timing Controls: Fine-grained timeout and delay customization
• 🗺️ Network Profiles: Pre-configured settings for different network types
• 📊 Performance Tuning: Thread pool and connection optimization

---

📦 Installation

Prerequisites

# Ensure Python 3.6+ is installed
python3 --version

# Install required dependencies
pip3 install paramiko pyyaml colorama

Quick Install

# Clone the repository
git clone https://github.com/floriankostov/network_scanner.git
cd network_scanner

# Make executable (Unix/Linux/macOS)
chmod +x scanner.py

# Run the scanner
python3 scanner.py

Docker Installation (Optional)

# Build Docker image
docker build -t network-scanner .

# Run in container
docker run -it --network host network-scanner

---

🔧 Usage Guide

🚀 Quick Start

python3 scanner.py

The scanner provides an intuitive menu system:

╔══════════════════════════════════════════════════════════════════╗
║                    NETWORK SCANNER TOOLKIT                      ║
║                  Professional Penetration Testing               ║
╠══════════════════════════════════════════════════════════════════╣
║  1. 📡 Extended Port Scan    - Comprehensive port discovery     ║
║  2. ⚡ Basic Port Scan       - Quick essential port check       ║
║  3. 🔐 SSH Security Testing  - Advanced SSH vulnerability scan  ║
║  4. 🎯 Custom Target Scan    - Manual IP/range specification   ║
║  5. ❌ Exit                   - Quit the application            ║
╚══════════════════════════════════════════════════════════════════╝

🔍 Network Discovery

# Automatic network detection
[+] Network: 192.168.1.0/24 (254 hosts)
[+] Gateway: 192.168.1.1
[+] Local IP: 192.168.1.100

# Custom network specification
python3 scanner.py --network 10.0.0.0/16

🎯 SSH Exploitation Capabilities

💬 Username Enumeration (CVE-2018-15473)

# Standard enumeration
[EXPLOIT] CVE-2018-15473 Username Enumeration
[+] Target: 192.168.1.50:22 (OpenSSH 7.4)
[+] Testing 100 common usernames...
[✓] Valid users found: admin, user, test

# Stealth enumeration with evasion
[STEALTH] Enabling anti-detection measures
[+] Random delays: 0.5-2.0 seconds
[+] Connection variation: randomized
[✓] Valid users found: admin (confirmed)

🔑 Advanced Brute Force Attacks

# Smart brute force
[EXPLOIT] Smart SSH Brute Force
[+] Target: 192.168.1.50:22
[+] Valid users: admin, user
[+] Wordlist: 500 common passwords
[✓] Credentials found: admin:password123

# Stealth brute force with fail2ban evasion
[STEALTH] Advanced evasion enabled
[+] Adaptive delays: 3-8 seconds
[+] Connection resets: every 5 attempts
[+] IP rotation: enabled
[!] Intrusion detection bypass: active

🛡️ Defense Bypass Features

• Timing Randomization: Variable delays between 0.1-10 seconds
• Connection Management: Automatic connection cycling to avoid detection
• Error Analysis: Smart handling of fail2ban and IDS responses
• Rate Limiting: Adaptive speed adjustment based on target responses

---

🔧 Advanced Configuration

📝 Configuration File (config.yaml)

# Network scanning settings
network:
  ping_timeout: 1.0
  port_timeout: 3.0
  thread_count: 50
  max_hosts: 254

# SSH exploitation settings
ssh:
  timeout: 10.0
  retry_count: 3
  stealth_mode: true
  delay_min: 0.5
  delay_max: 2.0
  
# Exploitation parameters
exploits:
  user_enumeration:
    max_users: 100
    timing_threshold: 0.05
  brute_force:
    max_attempts: 50
    wordlist_size: 500
    fail2ban_detection: true

🎯 Custom Port Lists

port_lists:
  basic: [22, 80, 443, 8080]
  extended: [21, 22, 23, 25, 53, 80, 110, 143, 443, 993, 995, 8080]
  comprehensive: [1-1000, 3389, 5432, 5900, 8080-8090]

---

🛡️ Defense and Remediation

🔒 SSH Hardening Recommendations

Immediate Actions

# Disable root login
echo "PermitRootLogin no" >> /etc/ssh/sshd_config

# Require key-based authentication
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config

# Change default port
echo "Port 2222" >> /etc/ssh/sshd_config

# Restart SSH service
systemctl restart sshd

Long-term Security Measures

1. Intrusion Detection: Install and configure fail2ban
2. Network Segmentation: Isolate SSH access with firewall rules
3. Monitoring: Implement SSH connection logging and alerting
4. Regular Updates: Keep SSH software updated with security patches
5. Access Control: Use SSH certificates and centralized key management

🚨 Detection Signatures

Log Patterns to Monitor

# Username enumeration attempts
grep "Invalid user" /var/log/auth.log

# Brute force detection
grep "Failed password" /var/log/auth.log | head -10

# Connection frequency analysis
awk '{print $1, $2, $3, $11}' /var/log/auth.log | grep "sshd" | sort | uniq -c

Fail2ban Configuration

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

---

🔬 Technical Deep Dive

🎯 CVE-2018-15473 Exploitation Technical Details

Vulnerability Overview

• CVE ID: CVE-2018-15473
• Affected Versions: OpenSSH < 7.7, Cisco IOS, and others
• Impact: Username enumeration via timing attack
• CVSS Score: 5.3 (Medium)

Exploitation Methodology

1. Timing Analysis: Measure response times for valid vs invalid usernames
2. Statistical Validation: Use multiple samples to confirm timing differences
3. Evasion Techniques: Randomize delays to avoid detection
4. Result Validation: Cross-reference with common username patterns

# Simplified timing attack pseudocode
def enumerate_users(target, usernames):
    timings = {}
    for user in usernames:
        start = time.time()
        try_authentication(target, user, "invalid_password")
        end = time.time()
        timings[user] = end - start
    
    # Analyze timing patterns
    return analyze_timing_anomalies(timings)

🔍 Anti-Detection Mechanisms

Stealth Mode Features

• Jitter Introduction: Random delays between 0.1-10 seconds
• Connection Cycling: Establish new connections periodically
• Request Spacing: Adaptive timing based on target responses
• Error Handling: Graceful handling of defensive measures

---

📊 Example Scan Results

Network Discovery Output

╔══════════════════════════════════════════════════════════════════╗
║                       NETWORK SCAN RESULTS                      ║
╠══════════════════════════════════════════════════════════════════╣
║ Network: 192.168.1.0/24                                         ║
║ Active Hosts: 12/254                                             ║
║ Scan Duration: 45.3 seconds                                     ║
╚══════════════════════════════════════════════════════════════════╝

📡 DISCOVERED HOSTS:
┌─────────────────┬──────────────────┬─────────────────────────────┐
│ IP Address      │ Hostname         │ Response Time               │
├─────────────────┼──────────────────┼─────────────────────────────┤
│ 192.168.1.1     │ gateway.local    │ 1.2ms                      │
│ 192.168.1.50    │ server.local     │ 2.1ms                      │
│ 192.168.1.100   │ workstation.local│ 0.8ms                      │
└─────────────────┴──────────────────┴─────────────────────────────┘

SSH Vulnerability Report

╔══════════════════════════════════════════════════════════════════╗
║                    SSH VULNERABILITY REPORT                     ║
║                      Target: 192.168.1.50:22                   ║
╠══════════════════════════════════════════════════════════════════╣
║ SSH Version: OpenSSH 7.4                                        ║
║ Risk Level: HIGH                                                 ║
║ Vulnerabilities: 3 Critical, 2 High, 1 Medium                  ║
╚══════════════════════════════════════════════════════════════════╝

🔴 CRITICAL VULNERABILITIES:
┌─────────────────┬────────────────────────────────────────────────┐
│ CVE-2018-15473  │ Username Enumeration via Timing Attack        │
│ Status          │ ✅ EXPLOITABLE - 3 valid users discovered     │
│ Impact          │ Information Disclosure, Attack Preparation    │
│ Users Found     │ admin, user, test                             │
└─────────────────┴────────────────────────────────────────────────┘

┌─────────────────┬────────────────────────────────────────────────┐
│ Brute Force     │ Weak Authentication Configuration              │
│ Status          │ ✅ EXPLOITABLE - Password auth enabled        │
│ Impact          │ Unauthorized Access, Credential Compromise    │
│ Attempts        │ 45/50 tested, 1 credential found             │
└─────────────────┴────────────────────────────────────────────────┘

💥 EXPLOITATION RESULTS:
╔══════════════════════════════════════════════════════════════════╗
║ ✅ Successfully compromised SSH service                          ║
║ 🔑 Credential: admin:password123                                ║
║ 🎯 Access Level: Administrative                                 ║
║ ⚠️  Recommend immediate credential change and hardening         ║
╚══════════════════════════════════════════════════════════════════╝

---

🤝 Contributing

We welcome contributions from the security community! Please follow these guidelines:

🔄 Development Workflow

1. Fork the repository
2. Create a feature branch: git checkout -b feature/new-exploit
3. Commit changes: git commit -am 'Add new SSH exploit'
4. Push to branch: git push origin feature/new-exploit
5. Create a Pull Request

📝 Contribution Guidelines

• Ethical Focus: All contributions must be for educational/defensive purposes
• Code Quality: Follow Python PEP 8 standards
• Documentation: Include comprehensive documentation for new features
• Testing: Add unit tests for new exploitation modules
• Security: Include appropriate warnings and safeguards

🐛 Bug Reports

Please include:

• Python version and OS
• Complete error messages
• Steps to reproduce
• Expected vs actual behavior

---

📚 Resources and References

🔗 Security Resources

• OWASP Testing Guide
• NIST Cybersecurity Framework
• CVE Database
• SSH Security Best Practices

📖 Related Projects

• Nmap - Network discovery and security auditing
• Hydra - Password cracking tool
• SSH-Audit - SSH configuration auditing

🎓 Educational Content

• Penetration Testing Methodology
• SSH Protocol Deep Dive
• Network Security Fundamentals

---

⚖️ License

This project is licensed under the Educational Use License - see the LICENSE file for details.

Educational Use Only: This software is intended solely for educational purposes and authorized security testing. Any malicious use is strictly prohibited and may result in criminal prosecution.

---

🙏 Acknowledgments

• OpenSSH Team for maintaining secure SSH implementations
• Security Research Community for responsible vulnerability disclosure
• OWASP for security testing methodologies
• Python Community for excellent networking libraries

---

⚠️ Remember: With great power comes great responsibility

Use this tool ethically, legally, and responsibly.

Report Issues • Request Features • Security Contact