Medical Device Network Traffic Analyzer for Security Assessments
A passive CLI tool that analyzes network traffic for healthcare-specific protocol vulnerabilities, PHI leakage, and medical device anomalies. No packets sent. No active scanning.
Tools like Wireshark, Zeek, and Scapy are protocol-agnostic β they show you packets but have zero awareness of healthcare protocols, PHI exposure, or what kind of medical device is on the other end.
DicomGhost fills that gap. It understands:
- DICOM β medical imaging protocol (C-FIND, C-STORE, Association requests)
- HL7 v2 / MLLP β patient messaging (ADT, ORU, ORM, MDM)
- FHIR REST APIs β modern clinical APIs over HTTP
- Medical device fingerprinting β identifies device types from traffic patterns
No existing open source tool combines all of these in a single, pentest-ready CLI.
| Module | What it detects |
|---|---|
| DICOM Parser | Unencrypted image transfer, unauthenticated C-FIND/C-STORE, PACS exposure |
| HL7 Parser | MLLP without TLS, PHI in PID segments, ADT/ORU/ORM/MDM exposure |
| FHIR Parser | FHIR over HTTP, Bearer tokens in cleartext, bulk Bundle exposure |
| Device Fingerprinter | Identifies PACS, HL7 engines, DICOM modalities, ICS devices from port/TTL/UA |
| PHI Detector | Regex scan for SSN, MRN, DOB, patient names, ICD-10 codes in any TCP stream |
| Network Anomaly | Medical devices on internet, Telnet/FTP on clinical systems, HTTP Basic Auth |
Requirements: Python 3.8+, pip, root/sudo for live capture
git clone https://github.com/shaan3000/dicomghost.git
cd dicomghost
pip install -r requirements.txt# Analyze a PCAP file
python dicomghost.py --pcap hospital_network.pcap
# Live capture on interface for 60 seconds (requires sudo)
sudo python dicomghost.py --iface eth0 --duration 60
# Export JSON report
python dicomghost.py --pcap capture.pcap --output json --out report.json
# Verbose mode β show all findings including INFO
python dicomghost.py --pcap capture.pcap --verbose ___ __ __
____/ (_)________ ____ ___ ____ _/ /_ ____ _____/ /_
/ __ / / ___/ __ \/ __ `__ \/ __ `/ __ \/ __ \/ ___/ __/
/ /_/ / / /__/ /_/ / / / / / / /_/ / / / / /_/ (__ ) /_
\__,_/_/\___/\____/_/ /_/ /_/\__, /_/ /_/\____/____/\__/
/____/
DICOM Medical Device Network Recon Tool
Author: Shantanu Shastri
For authorized security assessments only.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DicomGhost Scan Report | 2024-11-01 14:23:11
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Summary:
CRITICAL 4
HIGH 3
MEDIUM 2
Discovered Devices (3):
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
192.168.10.42 DICOM AE (PACS/Modality) [High]
Ports: 104, 11112
Protocols: TCP, DICOM
192.168.10.55 HL7 Integration Engine [High]
Ports: 2575
Protocols: TCP, HL7
Findings:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[!!!] [CRITICAL] PHI LEAKAGE
DICOM C-FIND: patient record query in cleartext
A DICOM C-FIND query was detected. PHI directly exposed in query responses.
Peers: 192.168.10.22 -> 192.168.10.42:104
Fix: Restrict C-FIND access. Enable TLS. Log all C-FIND queries.
See the --output json flag to generate full JSON output.
| Level | Meaning |
|---|---|
CRITICAL |
Active PHI exposure or immediate patient safety risk |
HIGH |
Unencrypted medical protocol traffic |
MEDIUM |
Misconfiguration or policy violation |
LOW |
Informational issue |
INFO |
Observation with no direct risk |
| Code | Meaning |
|---|---|
0 |
No HIGH or CRITICAL findings |
1 |
HIGH findings present |
2 |
CRITICAL findings present |
Useful for CI/CD integration or automated assessment pipelines.
- Contributing β how to add parsers or report bugs
- Security Policy β responsible disclosure
- Changelog β version history
π Full usage guide and protocol reference docs coming soon.
pip install pytest pytest-cov
pytest tests/ -v --cov=dicomghost- MDAP (Medical Device Acquisition Protocol) support
- BACnet / Modbus medical ICS detection
- DICOM TLS version fingerprinting
- HL7 v3 / CDA document support
- Device CVE correlation from NVD
- HIPAA risk scoring per finding
- Wireshark dissector plugin export
Shantanu Shastri
Cybersecurity Professional | GE Healthcare
Specialization: Medical Device & IoT Security, Hardware Security, Penetration Testing
DicomGhost is a passive network analysis tool β it does not transmit any packets. It is intended exclusively for authorized penetration testing engagements, security research in controlled lab environments, and healthcare security assessments with written client authorization.
Use of this tool against systems without explicit written authorization may violate HIPAA, the Computer Fraud and Abuse Act (CFAA), and equivalent legislation in your jurisdiction. The author assumes no liability for misuse.
MIT License β see LICENSE for details.