Automated network scanner that discovers all devices on a WiFi/LAN network and identifies vulnerabilities on each host.
_ _ _ _ _ _
| \ | | | | | | | | | |
| \| | ___| |_| |_| |_ _ _ __ | |_ ___ _ __
| . ` |/ _ \ __| _ | | | | '_ \| __/ _ \ '__|
| |\ | __/ |_| | | | |_| | | | | || __/ |
|_| \_|\___|\__\_| |_/\__,_|_| |_|\__\___|_|
Network Vulnerability Scanner v1.0
Connect to a WiFi or LAN network and run NetHunter. It automatically:
- Detects your network (e.g. 192.168.1.0/24)
- Discovers all live hosts via ARP scan (admin) or ping sweep (user)
- Scans open ports on every host with banner grabbing
- Identifies vulnerabilities based on exposed services, versions and misconfigurations
- Generates a report — terminal table + exportable HTML
| Severity | Examples |
|---|---|
| CRITICAL | Telnet open, Redis/MongoDB exposed (no auth), Docker API unencrypted, Jupyter Notebook, vsFTPd backdoor |
| HIGH | RDP exposed, SMB open, FTP anonymous login, WinRM, WebLogic, outdated PHP/Apache/OpenSSL |
| MEDIUM | MySQL/PostgreSQL exposed, SNMP, NFS, Prometheus metrics leak, dev servers |
| LOW | HTTP without HTTPS, default web pages, directory listing |
| INFO | SSH open, SMTP open, printer services |
Also detects outdated software versions from service banners:
- Apache 2.2 / IIS 6.0 (end-of-life)
- PHP 5.x / PHP 7.0-7.1 (end-of-life)
- OpenSSL 1.0.x (Heartbleed era)
- OpenSSH 7.2 (user enumeration CVE)
- vsFTPd 2.3.4 (known backdoor)
git clone https://github.com/DavidJara1998/NetHunter.git
cd NetHunter
pip install -r requirements.txtRequirements: Python 3.8+
For ARP scan (MAC addresses): install Npcap on Windows or run as root on Linux.
# Auto-detect network and scan everything
python nethunter.py
# Specify target network manually
python nethunter.py --network 192.168.1.0/24
# Scan a single host
python nethunter.py --target 192.168.1.1
# Fast scan (top 20 ports only)
python nethunter.py --fast
# Export HTML report
python nethunter.py --output html
# Full options
python nethunter.py --network 10.0.0.0/24 --output both --threads 200 --network, -n Target network CIDR (auto-detected if omitted)
--target, -t Scan a single host
--output, -o Export report: html | json | both
--fast Scan top 20 critical ports only
--threads Threads for port scanning (default: 150)
--timeout Port connect timeout in seconds (default: 1)
[*] Local IP: 192.168.1.105
[*] Network: 192.168.1.0/24 (254 hosts)
=== MODULE 1: HOST DISCOVERY ===
[+] 8 host(s) discovered:
192.168.1.1 MAC: AA:BB:CC:11:22:33 (router)
192.168.1.100 MAC: N/A
192.168.1.101 MAC: N/A
...
=== MODULE 2: PORT SCANNER ===
[*] Scanning 8 host(s) — 46 ports each
192.168.1.1 80(HTTP), 443(HTTPS), 22(SSH)
192.168.1.100 23(Telnet), 80(HTTP), 3306(MySQL), 6379(Redis)
192.168.1.101 445(SMB), 3389(RDP)
=== MODULE 3: VULNERABILITY ASSESSMENT ===
192.168.1.100 — 2 CRITICAL | 1 HIGH
[CRITICAL] Telnet Open
Telnet transmits credentials in plaintext.
[CRITICAL] Redis Exposed
Redis has no authentication by default.
[HIGH] MySQL Exposed
MySQL exposed to network — should be localhost only.
192.168.1.101 — 1 HIGH
[HIGH] RDP Exposed
RDP exposed to network — brute-force and BlueKeep risk.
[HIGH] SMB Open
SMB exposed — check for EternalBlue (MS17-010).
=== SCAN SUMMARY ===
Host Open Ports Critical High Medium Risk
192.168.1.1 80, 443, 22 0 0 0 CLEAN
192.168.1.100 23, 80, 3306, 6379 2 1 0 CRITICAL
192.168.1.101 445, 3389 0 2 0 HIGH
[!] CRITICAL: 2
[!] HIGH: 3
- ARP scan (admin/root + scapy): sends ARP requests to find all live hosts and their MAC addresses. Reliable and fast.
- Ping sweep (no admin needed): sends ICMP echo requests to each host using the OS ping command. Works on all systems.
The tool tries ARP first and falls back to ping sweep automatically.
- Pure Python socket-based scanner with threading (150 concurrent threads by default)
- Scans 46 carefully selected ports covering all critical services
- Banner grabbing: connects to each open port and reads the service response to identify version information
- HTTP probe on web ports to detect default pages and server headers
- Port-based rules: maps open ports to known vulnerability patterns
- Banner analysis: parses service banners to detect outdated or vulnerable versions
- Active checks: FTP anonymous login attempt
- HTTP content analysis: detects phpinfo pages, directory listing, default server pages
- Terminal: rich-formatted table sorted by risk level
- HTML: dark-themed report with network map and per-host finding details
- JSON: machine-readable output for integration with other tools
NetHunter/
├── nethunter.py # CLI entry point
├── requirements.txt
└── modules/
├── discovery.py # Host discovery — ARP scan + ping sweep
├── portscanner.py # Port scanning + banner grabbing
├── vulncheck.py # Vulnerability assessment rules
└── reporter.py # Terminal summary + HTML/JSON export
| Feature | Normal user | Admin / Root |
|---|---|---|
| Host discovery | Ping sweep | ARP scan |
| MAC addresses | No | Yes |
| Port scanning | Yes | Yes |
| Vulnerability detection | Yes | Yes |
Vulnerability detection works identically in both modes. Admin only adds MAC address visibility.
Windows — run as admin:
Right-click CMD or PowerShell → "Run as administrator"
python nethunter.py
Linux/Kali — run as root:
sudo python nethunter.py
- Home/lab networks you own
- HackTheBox VPN networks
- TryHackMe VPN networks
- Virtual machine networks (VMware, VirtualBox host-only)
This tool is for authorized network testing only. Scanning networks without explicit permission is illegal. The author is not responsible for any misuse.