Building a Custom Network Vulnerability Scanner with Python

Introduction to Custom Vulnerability Scanning

Building a custom network vulnerability scanner with Python provides granular control over security assessments. Unlike commercial tools, a Python-based scanner tailors checks to specific network environments, reduces false positives, and enhances understanding of network vulnerabilities. This guide focuses on creating a modular, extensible scanning framework using Python’s socket, requests, and nmap libraries.

Prerequisites and Environment Setup

Install Python 3.8+ and required libraries:

• nmap: pip install python-nmap
• requests: pip install requests
• colorama (optional for output): pip install colorama

Ensure nmap binary is installed on your system (Linux: sudo apt install nmap; macOS: brew install nmap).

Step 1: Basic Port Scanner Foundation

Start with a socket-based TCP connect scanner to identify open ports. This detects services listening on target hosts, forming the base for vulnerability detection.

import socket
def scan_port(target, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(1)
    result = s.connect_ex((target, port))
    s.close()
    return result == 0

Iterate through common ports (22, 80, 443, 3306) to identify exposed services.

Step 2: Service Version Detection with Nmap

Leverage python-nmap for version detection and OS fingerprinting. Service versions often correlate with known vulnerabilities (e.g., outdated Apache or OpenSSH).

import nmap
nm = nmap.PortScanner()
services = nm.scan('192.168.1.1', '22,80,443', arguments='-sV')

Parse services['scan'][target]['tcp'] to extract service names and versions.

Step 3: Vulnerability Signature Database

Create a dictionary mapping services/versions to potential vulnerabilities. Use public sources like CVE databases or APIs for dynamic updates.

vuln_db = {
    "OpenSSH 7.2": ["CVE-2016-6210", "Username Enumeration"],
    "Apache 2.4.49": ["CVE-2021-41773", "Path Traversal"],
}

Cross-reference detected services against this database to flag risks.

Step 4: Implementing Vulnerability Checks

For each detected service, run specific exploit tests. Example for Apache path traversal:

import requests
target_url = f"http://{target}:{port}/cgi-bin/.%2e/%2e%2e/etc/passwd"
try:
    r = requests.get(target_url, timeout=5)
    if 'root:x' in r.text:
        print(f"Vulnerable to CVE-2021-41773 on {target}:{port}")
except:
    pass

Add checks for weak SSH ciphers, default credentials, or SMB vulnerabilities.

Step 5: Advanced Scanning with Multithreading

Speed up scans using concurrent.futures for parallel port and service checks on multiple hosts.

from concurrent.futures import ThreadPoolExecutor
with ThreadPoolExecutor(max_workers=50) as executor:
    futures = [executor.submit(scan_host, ip) for ip in subnet]

Adjust thread count based on network capacity to avoid packet loss.

Step 6: Reporting and Output Formatting

Generate structured reports in JSON or CSV for integration with other security tools. Include target IP, port, service, version, vulnerability name, and severity.

import json
report = {"findings": [{"ip": target, "port": port, "vuln": "CVE-2021-41773", "severity": "high"}]}
with open('scan_report.json', 'w') as f:
    json.dump(report, f, indent=4)

Testing and Ethical Considerations

Always obtain written permission before scanning networks. Use a controlled lab environment (e.g., Metasploitable or DVWA) for testing. Python’s flexibility enables customization but requires responsible disclosure of discovered vulnerabilities.

Conclusion and Extending the Scanner

This custom network vulnerability scanner provides a foundation for automated security assessments. Extend it with SSL/TLS certificate validation, HTTP header analysis, and web application scanning. Integrate with Shodan API for external context. Building your own tool deepens understanding of network security and allows precise control over vulnerability detection in diverse IT environments.