How I Built a Python Network Scanner That Thinks Like an Attacker
Source: Dev.to
The Problem
Every network has blind spots.
- Firewall rules get mis‑configured.
- Services get spun up and forgotten.
- A developer opens port 3389 for “just a quick test” and never closes it. Six months later, a ransomware group finds it.
The scary part? These exposures are trivially easy to find if you know where to look.
So I built a tool that looks.
What the Tool Does
Network Scanner & Vulnerability Reporter – a Python‑based utility that:
| Feature | Description |
|---|---|
| Port scanning | Scans a target IP or an entire CIDR range for open ports |
| Service identification | Detects which service is running on each open port |
| Vulnerability matching | Checks each service against a built‑in vulnerability database |
| ATT&CK mapping | Maps every finding to a MITRE ATT&CK technique |
| Risk scoring | Calculates an overall risk score from 0 to 100 |
| Reporting | Generates a full report with remediation guidance |
| Export | Emits JSON for SIEM or ticketing‑system integration |
| Zero external deps | Pure Python standard library only |
Why I Built It This Way
Most vulnerability scanners are black boxes. You run Nessus, get a PDF, and hand it to someone else to interpret.
I wanted to understand what’s actually happening under the hood – what a scanner is really asking, what the responses mean, and how to turn raw port data into something actionable.
This tool is my answer to that question.
The Technical Architecture
Port Scanning — Multithreaded TCP
The scanner uses socket and concurrent.futures.ThreadPoolExecutor to send TCP connection attempts across 29 common ports simultaneously. Multithreading keeps the scan fast even on full CIDR ranges.
from concurrent.futures import ThreadPoolExecutor
with ThreadPoolExecutor(max_workers=50) as executor:
futures = {executor.submit(scan_port, ip, port): port for port in ports}Each connection either succeeds (port open) or times out (closed/filtered). No raw packets, no root required.
Service Identification
Open ports are mapped to known service names via a static dictionary – e.g.:
22→ SSH445→ SMB3389→ RDP
…and so on across 29 services.
Vulnerability Matching
Each identified service is checked against a built‑in vulnerability database. This isn’t CVE scanning; it’s risk‑pattern matching.
- Port 23 open? → Telnet – cleartext protocol – CRITICAL risk.
- Port 27017 open? → MongoDB – likely unauthenticated access.
The database covers the services that actually show up in breach reports: SMB (EternalBlue), RDP (ransomware entry), Redis (no‑auth data exposure), Elasticsearch (unauthenticated access), etc.
MITRE ATT&CK Mapping
Every vulnerability finding gets tagged with the relevant ATT&CK technique:
| Finding | ATT&CK Technique |
|---|---|
| RDP exposed | T1076 – Remote Desktop Protocol |
| SMB exposed | T1210 – Exploitation of Remote Services |
| Telnet open | T1040 – Network Sniffing |
This transforms raw scan output into adversary‑aligned intelligence – exactly the framing a SOC or threat‑intel team needs.
Risk Scoring
The tool calculates a composite risk score (0 – 100) based on severity and count of findings:
| Score | Rating |
|---|---|
| 70–100 | 🔴 CRITICAL |
| 45–69 | 🟠 HIGH |
| 20–44 | 🟡 MEDIUM |
| 0–19 | 🟢 LOW |
Sample Output
=================================================================
NETWORK SCANNER & VULNERABILITY REPORTER
Target : 192.168.1.1
Open Ports : 4 | Vulnerabilities: 6
Risk Score : 85/100 [██████████████████████████████████░░░░░░]
Rating : 🔴 CRITICAL RISK
⚠️ VULNERABILITIES (6)
[CRITICAL] RDP Exposed to Internet (Port 3389)
MITRE ATT&CK : T1076 — Remote Desktop Protocol
Remediation : Restrict RDP to VPN only, enable NLA, use MFA
[CRITICAL] SMB Port Exposed (Port 445)
MITRE ATT&CK : T1210 — Exploitation of Remote Services
Remediation : Block SMB at firewall, apply MS17‑010 patchReal‑World Relevance
- Attack‑surface mapping – finding exposed services before attackers do is the first step in any vulnerability‑management program.
- Risk prioritization – not every open port is equal. The tool scores and ranks so the most dangerous exposures get fixed first.
- SIEM integration – the JSON export can feed directly into Splunk, Elastic, or any ticketing system like ServiceNow.
- Compliance support – regular network scans satisfy control requirements under NIST CSF, CIS Controls, and ISO 27001. The tool produces the needed evidence.
What I Learned
- Multithreading changes everything. A single‑threaded scanner on a
/24would take minutes; with 50 concurrent threads it’s seconds. Understanding thread‑pool sizing and timeout tuning is a real skill. - The vulnerability database is the hardest part. Writing port‑scanning logic is straightforward. Deciding which services are risky, why, and how to explain it to a non‑technical stakeholder is the GRC thinking that makes a security tool actually useful.
- MITRE ATT&CK is a communication framework. Mapping findings to ATT&CK techniques isn’t just for show; it lets you speak the same language as threat‑intel teams, red teams, and incident responders. A finding labeled “
T1210— Exploitation of Remote Services” is instantly actionable.
Try It Yourself
git clone https://github.com/SankethSubhas/network-scanner-vulnerability-reporter.git
cd network-scanner-vulnerability-reporter
# Follow the README for usage instructionsHappy scanning! 🚀
Usage Examples
Scan a single host
(use scanme.nmap.org for legal testing)
python3 network_scanner.py scanme.nmap.orgScan a network range
python3 network_scanner.py 192.168.1.0/24Export a JSON report
python3 network_scanner.py 192.168.1.1 --output report.json⚠️ Important: Only scan systems you own or have explicit written permission to test.
Links
- GitHub: network-scanner-vulnerability-reporter
- Portfolio: sankethsubhas.pages.dev
- LinkedIn: linkedin.com/in/sanketh-subhas