⚡ NEXPORT — Intelligent Threat Analysis Suite

Professional Network Port Intelligence, Live Threat Intelligence & AI-Driven Security Analytics Platform

---

👤 Lead Developer: Steven Osama (Alias: zeroman)
🖥️ GitHub Profile: @zeroman-root
📦 Official Repository: github.com/zeroman-root/nexport.git
🔒 Copyright: © 2026 Steven Osama (zeroman). All rights reserved.

---

NEXPORT is an advanced, high-performance security reconnaissance and automation tool tailored for Kali Linux and security operations. Designed and engineered by cybersecurity professional Steven Osama (zeroman), it bridges the gap between raw network scanning and actionable vulnerability intelligence.

NEXPORT features Live Threat Intelligence — real-time integration with the Shodan API and CIRCL CVE API that automatically enriches every scan with external perspective data, live CVE hits on detected service versions, and internet-facing vulnerability telemetry. An optional AI Intelligence Layer can now be activated to deliver structured security assessments — powered by OpenAI, Google, or Anthropic — that appear before the raw data, giving SOC analysts and penetration testers an immediate, analyst-grade interpretation of every scan.

Wrapped in a stunning, high-contrast Cyberpunk ANSI neon interface, NEXPORT ensures maximum data scannability under critical engagement timelines.

---

⚡ Key Features

• 📦 System-Wide Auto Integration: Advanced installer deploys a native wrapper granting full execution rights from anywhere in the system.
• 🛠️ Strict Modular Architecture: Code logic, UI rendering, Nmap engines, databases, live API clients, and the AI Intelligence Layer are strictly separated across clean, self-documenting .sh files with zero code bloat.
• 🗄️ Massive Vulnerability Database: Deeply mapped catalog linking thousands of ports to risk indices (HIGH/MED/LOW), encryption compliance flags ([CLR]), and known real-world exploits.
• 🔍 Intelligent Live Nmap Parser: Wraps Nmap into 6 professional deployment modes (Quick, Standard, Full, Stealth, Vuln, Custom) with automated version extraction and lookup integration.
• 🌐 Live Shodan Integration: Automatically queries the Shodan API for any public IP after a scan — fetches open ports, service banners, organization data, ISP, geolocation, and live CVEs from Shodan's internet-wide scan perspective.
• 🛡️ Live CVE Lookup via CIRCL: Detects service version strings from nmap output and fires lightweight HTTP requests to cve.circl.lu to retrieve the top 5 most critical live CVE IDs for each detected version — in real time.
• 🤖 AI Intelligence Layer (NEW): Optional AI-driven analysis module that delivers structured security insights — threat overview, critical findings, attack surface analysis, and hardening recommendations — powered by the AI provider of your choice. Dormant by default; activates only when a valid key is present.
• 📊 Production-Ready Reports: Instantly exports scan findings to JSON, CSV, Markdown (.md), or searchable HTML for client reporting.
• 🎯 Gamified Training Engine: Interactive Quiz Mode trains junior SOC analysts and penetration testers on critical ports and threat scenarios.

---

🤖 AI Intelligence Layer — Architecture

modules/ai_intel.sh is the optional intelligence layer in NEXPORT. It operates as a pre-display analysis pipeline that processes raw scan output before any data is shown to the operator.

System Protocol

The AI module enforces four hard constraints:

Constraint	Implementation
Scope Limitation	The AI is restricted to analysing the input scan data only. It is explicitly instructed not to modify, refactor, or reference the NEXPORT codebase.
Branding Integrity	Copyright headers, project branding, and attribution are preserved at all times.
Data Integrity	The model is instructed never to fabricate or hallucinate vulnerabilities. If the data is ambiguous or insufficient to assess a category, it is required to state: "Insufficient data to assess."
Optional Activation	The module remains dormant unless a validated API key is present in ~/.nexport/config. No key = standard mode, unchanged.

Architectural Flow

  [ nmap scan complete ]
           │
           ▼
  run_ai_intel_analysis()           ← modules/ai_intel.sh  (FIRST — if key active)
    └── Structured assessment:
        ├── Threat Overview
        ├── Critical Findings
        ├── Attack Surface Analysis
        └── Analyst Recommendations
           │
           ▼
  _summarize_nmap_output()          ← Local database analysis
           │
           ▼
  run_live_threat_intel()           ← modules/api_intel.sh
    ├── Shodan Host API             ← External ports, banners, org, vulns
    └── CIRCL CVE search API        ← Live CVE IDs per detected version

Display order:

1. AI Intelligence Insight (if key is active)
2. Raw Scan Data — NexPort database analysis, Shodan, CVE reports

Key design properties:

• Graceful degradation: if no key is configured or the provider is unreachable, the layer is silently skipped — the standard scan output is completely unaffected.
• The AI receives a truncated, sanitised view of the scan output (up to 3,500 characters) to prevent token overflow.
• API keys are stored with chmod 600 in ~/.nexport/config — never echoed to the terminal.
• All three supported providers use separate endpoint and header formats, managed transparently via the NEXPORT_AI_PROVIDER identifier stored alongside the key.

---

🔑 AI Intelligence Layer Setup

Interactive Configuration Workflow

Executing nexport intel set-ai-key <key> triggers an interactive setup that does not immediately save the key. The flow is:

Step 1: Provider selection menu
        ┌─────────────────────────────────────────────────────────┐
        │ 1) OpenAI     — GPT-4o / GPT-4-Turbo                   │
        │ 2) Google     — Gemini 1.5 Pro / Flash                  │
        │ 3) Anthropic  — Claude 3.5 Sonnet                       │
        └─────────────────────────────────────────────────────────┘

Step 2: Handshake validation
        A lightweight API call verifies the key against the selected
        provider before any data is written to disk.

Step 3: Contextual storage (only on validation success)
        Both NEXPORT_AI_KEY and NEXPORT_AI_PROVIDER are written to
        ~/.nexport/config with chmod 600 permissions.

# Activate the AI Intelligence Layer (interactive — prompts for provider):
nexport intel set-ai-key YOUR_API_KEY

# Deactivate (reverts to standard mode):
nexport intel clear-ai-key

# View AI layer command reference:
nexport intel ai-help

Supported Providers

#	Provider	Models Used	API Endpoint
1	OpenAI	GPT-4o / GPT-4-Turbo	api.openai.com/v1/chat/completions
2	Google	Gemini 1.5 Pro / Flash	generativelanguage.googleapis.com/v1beta
3	Anthropic	Claude 3.5 Sonnet	api.anthropic.com/v1/messages

The NEXPORT_AI_PROVIDER identifier is stored in the config alongside the key. This ensures the correct endpoint format, authentication headers, and request schema are applied automatically on every call — no manual configuration is required after setup.

💡 Pro-Tip: The Ultimate Free & Fast Setup (Recommended)

For the absolute best balance between extreme reasoning power, ultra-fast response, and 100% free access, we highly recommend activating the AI Layer using Meta's Llama 3.3 (70B) via Groq.

• Why this configuration? Groq's free tier is highly generous, and their LPU architecture generates the entire security summary and streams it into your terminal with near-zero latency (~3-5 seconds max).
• How to configure it:
  1. Get a free API key from the Groq Console.
  2. Run nexport intel set-ai-key YOUR_GROQ_API_KEY.
  3. Select Option 4 (Custom) from the interactive menu.
  4. Provide the following values when prompted:
     • Base URL / Endpoint: https://api.groq.com/openai/v1/chat/completions
     • Model Name: llama-3.3-70b-versatile

---

🌐 Live Threat Intelligence — Shodan Integration

# Save your Shodan API key (stored securely in ~/.nexport/config)
nexport intel set-key YOUR_SHODAN_API_KEY

# Alternatively, export it for the current session only:
export SHODAN_API_KEY=YOUR_SHODAN_API_KEY

# Remove a saved key:
nexport intel clear-key

Get a free Shodan API key at https://account.shodan.io The free tier supports host lookups — sufficient for NexPort's query volume.

---

🛡️ Live CVE Lookup — CIRCL.LU

No API key required. CIRCL's CVE API is open and free.

NexPort automatically extracts versioned service strings from nmap banners after any Standard, Full, Stealth, Vuln, or Custom scan (modes that include -sV):

22/tcp  open  ssh     OpenSSH 8.4p1 Debian
80/tcp  open  http    Apache httpd 2.4.49
3306/tcp open mysql   MySQL 5.7.36-log

Each detected <product> <version> pair triggers a query to:

https://cve.circl.lu/api/search/<product>/<version>

The top 5 most critical CVE IDs are extracted from the JSON response and displayed inline in the Live Threat Intel section.

Tip: Run scans in Standard (2) or higher mode to enable -sV version detection, which is required for CIRCL CVE lookups.

---

⚙️ System Installation & Global Deployment

# 1. Clone the official repository:
git clone https://github.com/zeroman-root/nexport.git
cd nexport

# 2. Grant execution permissions:
chmod +x nexport/nexport

# 3. Install system-wide (requires root):
sudo ./nexport/nexport --install

# 4. Run globally from anywhere:
nexport

# 5. (Optional) Set your Shodan API key after installation:
nexport intel set-key YOUR_SHODAN_API_KEY

# 6. (Optional) Activate the AI Intelligence Layer:
nexport intel set-ai-key YOUR_AI_API_KEY

# ❌ Uninstall:
sudo nexport --uninstall

---

📖 Full Command Reference

🔎 Lookup

Command	Description	Example
-h <port|name>	Deep info on a port	-h 22, -h ssh, -h 443
-a, --all	List all ports by category	-a
-t, --top	Top 30 most targeted ports	-t

🔍 Search & Filter

Command	Description	Example
-s <keyword>	Search name, protocol, description, CVE	-s database
-c <category>	Filter by category	-c web
-p <proto>	Filter by protocol	-p tcp
-e <enc>	Filter by encryption	-e no
-r <level>	Filter by risk level	-r critical
--cve <CVE-ID>	Find ports linked to a CVE	--cve CVE-2020-1938

📡 Scan & Analyze

Command	Description
scan <target>	Live nmap scan + AI insight + NexPort DB analysis + Live Threat Intel
paste / summarize	Paste existing nmap output for AI insight + DB analysis

Scan modes available after scan <target>:

#	Mode	Flags	Notes
1	Quick	-T4 --open	No version detection (~10s)
2	Standard	-T4 -sV --open	Version detection — enables CVE lookup (~30s)
3	Full	-T4 -sV -p- --open	All 65535 ports + versions (~5-20min)
4	Stealth	-T4 -sS -O -A --open	Requires root
5	Vuln	-T4 -sV --script=vuln --open	NSE vuln scripts, requires root
6	Custom	user-defined	Enter your own nmap flags

🌐 Live Threat Intel

Command	Description
intel set-key <key>	Save Shodan API key to ~/.nexport/config
intel clear-key	Remove saved Shodan API key
intel <public-ip>	On-demand Shodan + CVE lookup for a specific IP
intel help	Show intel sub-command reference

🤖 AI Intelligence Layer

Command	Description
intel set-ai-key <key>	Interactive provider selection + handshake validation + key storage
intel clear-ai-key	Remove AI API key (reverts to standard mode)
intel ai-help	Show AI Intelligence Layer command reference

Sample AI Intelligence Layer output:

╔══════════════════════════════════════════════════════════════════════╗
║  ★ AI INTELLIGENCE INSIGHT                                           ║
║  Powered by Anthropic Claude 3.5 Sonnet · Input-scoped analysis only ║
╚══════════════════════════════════════════════════════════════════════╝

  ────────────────────────────────────────────────────────────────────

  1. THREAT OVERVIEW
     The target presents a moderately elevated attack surface. Exposure
     of SSH and an unencrypted HTTP service on port 80 constitutes the
     primary risk. No encrypted web layer (443) was detected.

  2. CRITICAL FINDINGS
     Port 3306 (MySQL) is externally reachable. Database services
     exposed directly to the internet represent a critical misconfiguration.

  3. ATTACK SURFACE ANALYSIS
     An adversary would prioritise the MySQL port for credential brute-force
     and the SSH service for key-based exploitation if the server version
     is unpatched. The HTTP service may expose web application attack vectors.

  4. ANALYST RECOMMENDATIONS
     [1] Immediately restrict port 3306 to localhost or a VPN interface.
     [2] Deploy a TLS certificate and enforce HTTPS on port 443.
     [3] Audit SSH configuration: disable PasswordAuthentication, enforce
         key-based auth, and review authorised_keys for all accounts.

  ────────────── AI analysis complete  ·  Raw data follows ──────────────

⚙️ System

Command	Description
-q, --quiz	Interactive port knowledge quiz
--install	Install to /usr/local/bin (requires sudo)
--uninstall	Remove from system (requires sudo)
--version	Show version
--help	Show help
exit / quit	Exit NexPort

---

🗂️ Project Structure

nexport/
├── nexport                     # Main entry point & dispatcher
├── lib/
│   ├── colors.sh               # ANSI color variables, badges, risk icons
│   └── ui.sh                   # Banner, dividers, port info printers
├── data/
│   ├── ports_db.sh             # Core port vulnerability database
│   ├── ports_db_ext1.sh        # Extended database — batch 1
│   ├── ports_db_ext2.sh        # Extended database — batch 2
│   └── ports_db_ext3.sh        # Extended database — batch 3
└── modules/
    ├── lookup.sh               # Port lookup and show-all logic
    ├── search.sh               # Keyword search, protocol/risk/enc filters, CVE search
    ├── category.sh             # Category listing and filtering
    ├── top_ports.sh            # Top 30 most targeted ports
    ├── quiz.sh                 # Interactive training quiz
    ├── nmap_scan.sh            # Live nmap scan engine
    ├── summarizer.sh           # Nmap output parser & threat summary
    ├── export.sh               # JSON / CSV / Markdown / HTML export
    ├── api_intel.sh            # Shodan + CIRCL live threat intel
    └── ai_intel.sh             # ★ NEW — Optional AI Intelligence Layer

---

🔗 API Endpoints Used

API	Endpoint	Auth	Notes
Shodan Host Lookup	https://api.shodan.io/shodan/host/{ip}?key={key}	API Key	Per Shodan plan
CIRCL CVE Search	https://cve.circl.lu/api/search/{product}/{version}	None	Open, fair use
OpenAI Chat	https://api.openai.com/v1/chat/completions	Bearer token	GPT-4o
Google Gemini	https://generativelanguage.googleapis.com/v1beta/...	Query param	Gemini 1.5 Pro
Anthropic Messages	https://api.anthropic.com/v1/messages	x-api-key header	Claude 3.5 Sonnet

NexPort uses curl with a 12-second timeout for validation handshakes and a 35-second timeout for AI analysis calls. All API interactions fail gracefully — a failed or missing key never breaks the scan output.

---

🧪 jq vs. Fallback Parsing

NexPort's api_intel.sh auto-detects jq at runtime:

Feature	With jq	Without jq
Shodan org/ISP/country	✅ Full	✅ Full
Shodan port list	✅ Full	✅ Full
Shodan banner details	✅ Full (per-service breakdown)	⚠️ Basic (regex, limited)
Shodan vuln CVE IDs	✅ Full	✅ Full
CIRCL CVE IDs	✅ Full	✅ Full

Install jq for the richest output:

sudo apt install jq       # Debian / Ubuntu / Kali
sudo dnf install jq       # Fedora / RHEL
sudo pacman -S jq         # Arch Linux
brew install jq           # macOS

---

⚠️ Operational Notes

• Version detection is required for CIRCL CVE lookup. Quick scan mode (-T4 --open) does not invoke -sV, so no version strings are extracted and the CVE lookup section will advise you accordingly.
• Shodan only enriches public IPs. Private RFC1918 addresses (10.x, 172.16-31.x, 192.168.x), loopback, link-local, and multicast ranges are automatically excluded from external Shodan queries.
• AI analysis is input-scoped. The AI module analyses only the scan data passed to it. It is explicitly prohibited from accessing, modifying, or referencing the NEXPORT codebase. If analysis cannot be performed from the available data, it states so explicitly.
• API keys are stored with chmod 600. The key file at ~/.nexport/config is restricted to the owner. No key value is ever printed or logged to the terminal.
• curl is required for all live API calls. It is pre-installed on all major Linux distributions.
• The existing local scan summary and database lookup pipelines are completely unmodified by the AI layer. The AI Intelligence section prepends before them and never interferes with the standard output.

---

📜 License

Apache License
Version 2.0, January 2004
http://apache.org

Copyright 2026 Steven Osama (zeroman)

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://apache.orgLICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

---
SPECIAL ATTRIBUTION REQUIREMENT:
Any derivative works, forks, or redistributions of this software MUST prominently display the original author's name "Steven Osama (zeroman)" and a link to the original repository (https://github.com) in the software's documentation, source code, and user interface.

---

NEXPORT — Intelligent Threat Analysis Suite Developed by Steven Osama (zeroman) — https://github.com/zeroman-root/nexport.git