Passive Vulnerability Assessment Tool for IoT device discovery and identification.
- 🚀 Fast Discovery: Masscan sweeps (10K+ pps) with smart filtering
- 🔍 Device Fingerprinting: Context-aware pattern matching with false positive filtering
- 🔒 CVE Matching: 26 CVEs covering consumer/enterprise IoT with version validation
- 📸 Evidence Collection: Screenshots, curl responses, nmap XML/text output
- 📊 JSON Export: Structured findings with confidence scores
- ⚡ Resource Management: Semaphore-based concurrency (prevents fork bombs)
- 🎯 Batch Processing: 8x nmap efficiency with batch scans
- ⏱️ Smart Timeouts: Port-specific (3s HTTP, 10s embedded devices)
- ♻️ Resume Capability: Auto-save every 50 targets
- 🛡️ Security Hardened: Input validation, no injection vulnerabilities
- 🚫 Cloud Filtering: Optional exclusion of AWS/Azure/GCP ranges (configurable)
- 📍 Priority Scanning: IoT-likely ports first (8291, 8080, 23)
- 🔇 HTTPS Screenshot Skip: Avoids timeout-prone HTTPS captures
# Fast scan (no screenshots, default)
sudo python3 internet-scanner.py 73.0.0.0/16 --rate 15000 --threads 100 --max 100
# With screenshots (slower, for detailed analysis)
sudo python3 internet-scanner.py 73.0.0.0/16 --screenshots --max 10
# Find specific device type
sudo python3 internet-scanner.py 96.0.0.0/16 --device netgear --max 5
# Custom regex pattern matching
sudo python3 internet-scanner.py 73.0.0.0/16 --pattern 'netgear.*r7000' --max 10
# Resume interrupted scan
sudo python3 internet-scanner.py 73.0.0.0/16 --resume
# Conservative scan (avoid ISP complaints)
sudo python3 internet-scanner.py 73.0.0.0/16 --rate 500 --threads 10- Comcast:
73.0.0.0/16,96.0.0.0/16 - AT&T:
108.0.0.0/16,76.0.0.0/16 - Verizon:
99.0.0.0/16 - Charter:
24.0.0.0/16,66.0.0.0/16 - Cox:
68.0.0.0/16,71.0.0.0/16
- Local lab:
192.168.1.0/24(your own network) - Shodan honeypots: Check Shodan.io for authorized test targets
Edit config.json to customize behavior:
{
"scanner": {
"default_ports": "80,443,8080,8443,8291,8000,10443",
"default_rate": 15000,
"default_threads": 100,
"max_heavy_tasks": 20,
"port_timeouts": {
"80": 2, "443": 2, "8080": 2, "8291": 2, "default": 2
},
"skip_screenshot_ports": ["443", "8443"],
"batch_nmap_size": 8
},
"excluded_cloud_ranges": {
"enabled": false, // Set true to skip AWS/Azure/GCP
"ranges": ["3.0.0.0/8", "52.0.0.0/8", ...]
},
"signatures": {
"netgear": {
"patterns": ["NETGEAR", "R7000", "R6700"],
"priority": "HIGH"
},
"mikrotik": {
"patterns": ["MikroTik", "RouterOS", "Winbox"],
"priority": "CRITICAL"
}
},
"cve_database": {
"CVE-2021-34991": {
"devices": ["netgear", "r7000"],
"max": "1.0.11.126",
"severity": "CRITICAL"
}
}
}- default_rate: Masscan packet rate (default: 15000 pps)
- default_threads: Concurrent fingerprinting threads (default: 100)
- max_heavy_tasks: Concurrent nmap/curl operations (default: 20)
- port_timeouts: Per-port timeout in seconds (default: 2s - IoT responds fast)
- skip_screenshot_ports: Ports to skip for screenshots (HTTPS often fails)
- batch_nmap_size: IPs per nmap batch (default: 8)
- excluded_cloud_ranges.enabled: Filter cloud provider IPs
Default: Screenshots are disabled for performance
- Use
--screenshotsflag to enable when needed - Screenshots are the slowest operation (5-10x slower)
- Curl responses are always captured (sufficient for fingerprinting)
Results saved to scans/scan_TIMESTAMP/:
scans/scan_20250102_143022/
├── scanner.log # Detailed execution log
├── found-targets.txt # Quick summary (IP:PORT|DEVICE|CVE_COUNT)
├── valid-ips.txt # List of validated IPs
├── validation-status.txt # Timestamped findings
├── scan_a1b2c3d4.json # Full structured results
├── nmap/
│ ├── batch_*.txt # Human-readable nmap output
│ └── batch_*.xml # Machine-readable nmap output
├── screenshots/
│ └── 192_168_1_1_80.png # Device web interfaces
└── curl_responses/
└── 192_168_1_1_80_response.txt # Raw HTTP responses
{
"ip": "192.168.1.1",
"port": "80",
"device": "netgear",
"device_model": "R7000",
"firmware_version": "1.0.9.88",
"confidence_score": 18,
"confidence_level": "HIGH",
"status": "VALIDATED",
"cves": [
{
"cve_id": "CVE-2021-34991",
"status": "LIKELY_VULNERABLE",
"severity": "CRITICAL",
"description": "Netgear R7000 Command Injection via UPnP"
}
]
}# Required (checked automatically on startup)
sudo apt-get install masscan nmap curl
# Optional (for screenshots)
sudo apt-get install chromium-browser chromium-chromedriverpip3 install selenium packaging requests urllib3# Masscan requires raw socket access
sudo python3 internet-scanner.py ...
# Or use capabilities (more secure)
sudo setcap cap_net_raw+ep $(which masscan)
python3 internet-scanner.py ... # No sudo needed- ASSESSMENT-SCOPE.md - Capabilities, limitations, legal considerations
- test-rce-detection.py - RCE detection robustness tests (11/11 pass)
- verify-exploits.py - Post-scan exploit verification (authorized use only)
- FIXES.md - Historical fixes and improvements
- IMPROVEMENTS.md - Security hardening details
- Routers: Netgear, ASUS, TP-Link, D-Link, Linksys, Ubiquiti, MikroTik
- Cameras: Hikvision, Dahua, Axis
- Network: Cisco, ZyXEL
- VPN/Firewall: Fortinet, Palo Alto, SonicWall, Pulse Secure, Citrix
- 2024: CVE-2024-3400 (Palo Alto), CVE-2024-3080 (ASUS), CVE-2024-10914 (D-Link)
- 2023: CVE-2023-20198 (Cisco), CVE-2023-30799 (MikroTik), CVE-2023-1389 (TP-Link)
- 2018-2022: Netgear, Hikvision, Fortinet, Citrix, and more
Optimized Scan (1000 targets, no screenshots):
- Discovery (masscan): ~30 seconds (15K pps)
- Fingerprinting: ~5-10 minutes (2s timeouts, 100 threads)
- Nmap batch scans: ~3 minutes
- Total: ~10-15 minutes
With Screenshots (100 targets):
- Add ~10-20 minutes for screenshot capture
- Use only for detailed analysis of specific targets
Optimizations:
- 5-10x faster with screenshots disabled (default)
- 3x faster with 2s uniform timeouts (IoT responds instantly)
- 2x faster with 100 threads vs 50
- 75% fewer nmap calls with batching
- ✅ Obtain written authorization from network owner
- ✅ Review applicable laws (CFAA, GDPR, local regulations)
- ✅ Use conservative rates (--rate 500) for residential ranges
- ✅ Have incident response plan for accidental disruption
- ISP security audits (with authorization)
- Enterprise network assessments (internal)
- Security research (controlled environments)
- Vulnerability disclosure programs
- Unauthorized network scanning
- Competitive intelligence gathering
- Malicious exploitation
- Service disruption
"Masscan failed with exit code 1"
# Check permissions
sudo python3 internet-scanner.py ...
# Or verify masscan works
sudo masscan 192.168.1.0/24 -p80"No targets found"
- Check if range is in excluded_private_networks
- Verify masscan output file exists
- Try lower --rate if ISP is filtering
"Scanner hangs"
- Reduce --threads (default: 100, try 50)
- Lower max_heavy_tasks in config.json (default: 20, try 10)
- Check for zombie processes:
ps aux | grep nmap - Disable screenshots if enabled (they're slow)
"Too many false positives"
- Increase confidence threshold in code
- Review signatures in config.json
- Check curl_responses/ for manual verification
Contributions welcome! Focus areas:
- Additional device signatures
- CVE database updates
- Performance optimizations
- False positive reduction
For authorized security assessments only. See ASSESSMENT-SCOPE.md for disclaimer.
usage: internet-scanner.py [-h] [--rate RATE] [--threads THREADS] [--max MAX_FINDINGS]
[--device DEVICE] [--pattern PATTERN] [--resume] [--screenshots]
ranges
Options:
ranges IP ranges to scan (e.g., '73.0.0.0/16')
--rate RATE Masscan packet rate (default: 15000)
--threads THREADS Concurrent threads (default: 100)
--max MAX_FINDINGS Stop after N validated findings
--device DEVICE Filter for specific device type (e.g., netgear, hikvision)
--pattern PATTERN Custom regex pattern to match
--resume Resume interrupted scan
--screenshots Enable screenshots (disabled by default for performance)This tool is provided for authorized security assessments only. Users are responsible for obtaining proper authorization, complying with laws, and using findings ethically. The authors assume no liability for misuse.