kkundanI/Network-Security-Scanner

# 网络安全扫描器 **作者：** Kundan Kumar **技术栈：** Python · Socket 编程 · 多线程 · 网络安全 ## 功能简介 一个多线程的命令行网络扫描器，具备以下功能： - 扫描单个 IP、CIDR 范围或逗号分隔的主机列表 - 使用原始套接字检测开放的 TCP 端口（C 语言风格的 `connect_ex`） - 识别在开放端口上运行的服务 - 获取服务 Banner（HTTP 标头、SSH 版本字符串等） - 将开放端口映射到已知的安全漏洞发现 - 为发现的每个漏洞生成一份**循序渐进的修复计划**，并按风险优先级排序 - 为每台主机分配风险等级（无 / 低 / 中 / 高 / 极危） - 生成结构化的文本和 JSON 格式报告 - 使用线程池，比顺序扫描速度提升 70% 以上 ## 项目结构 ``` network_scanner/ ├── scanner.py ← Main scanner (all logic) └── README.md ← This file ``` ## 使用说明 ### 基础扫描（前 100 个常用端口） ``` python scanner.py -t 192.168.1.1 ``` ### 扫描整个子网 ``` python scanner.py -t 192.168.1.0/24 -p top100 --threads 200 ``` ### 扫描特定端口并获取 Banner ``` python scanner.py -t 10.0.0.1 -p 22,80,443,3306,5432 --banners --verbose ``` ### 扫描端口范围并保存报告 ``` python scanner.py -t 192.168.1.1 -p 1-1024 --json report.json --txt report.txt ``` ### 多个目标 ``` python scanner.py -t 192.168.1.1,192.168.1.5,192.168.1.10 -p 80,443 ``` ## 所有选项 | 标志 | 描述 | 默认值 | |------|-------------|---------| | `-t` / `--target` | IP、CIDR 或逗号分隔的目标 | 必填 | | `-p` / `--ports` | `top100`、`80`、`22,80,443` 或 `1-1024` | `top100` | | `--threads` | 并发线程数 | `100` | | `--timeout` | 每个端口的 Socket 超时时间（秒） | `1.0` | | `--banners` | 获取服务 Banner | 关闭 | | `--json FILE` | 保存 JSON 报告 | 关闭 | | `--txt FILE` | 保存文本报告 | 关闭 | | `--verbose` | 在发现端口时实时打印 | 关闭 | ## 涵盖的前 100 个端口 包括所有高危端口：21 (FTP)、22 (SSH)、23 (Telnet)、25 (SMTP), 80/443 (HTTP/S)、445 (SMB)、3306 (MySQL)、3389 (RDP)、5432 (PostgreSQL), 6379 (Redis)、8080/8443、9200 (Elasticsearch)、27017 (MongoDB) 等。 ## 漏洞覆盖范围与修复 该扫描器将 25 个以上的端口映射到经过筛选的安全发现。对于发现的每个漏洞，它会生成一份**带编号、循序渐进的修复计划**，其中包含具体的命令、配置文件路径和补丁知识库编号。 覆盖范围包括： - **极危：** 未授权暴露的 Redis/MongoDB/Elasticsearch - **高危：** SMB (EternalBlue MS17-010)、RDP (BlueKeep CVE-2019-0708)、Jupyter (完全代码执行) - **中危：** 暴露的 MySQL/PostgreSQL、VNC 暴力破解风险、正在使用 Telnet - **低危：** 未启用 HTTPS 的 HTTP、SSH 加固、开放 SMTP 中继 修复计划按风险权重排序——最危险的端口排在最前——并且每个修复措施都标有优先级时间表： | 风险等级 | 优先级标签 | |------------|----------------| | 极危 | PRIORITY 1 — FIX IMMEDIATELY | | 高危 | PRIORITY 2 — FIX WITHIN 24 HOURS | | 中危 | PRIORITY 3 — FIX WITHIN 1 WEEK | | 低危 | PRIORITY 4 — FIX WITHIN 1 MONTH | ## 风险评分 每台主机会根据其开放的端口获得一个风险评分： - **极危** — 分数 > 15（例如 Redis + SMB + RDP 开放） - **高危** — 分数 9–15 - **中危** — 分数 4–8 - **低危** — 分数 1–3 - **无** — 无风险端口 ## 输出示例 以下是对本地网络（`192.168.31.7`）上一台 Windows 机器的真实扫描输出。发现三个高风险的 Windows 网络端口处于开放状态，从而触发了漏洞发现并生成了完整的修复计划。 ``` ══════════════════════════════════════════════════════════════════════ Network Security Scanner | Kundan Kumar Scan ID : SCAN-20260426-210633 Targets : 1 host(s) Ports : 49 port(s) [top100] Threads : 100 | Timeout: 1.0s Banners : no ══════════════════════════════════════════════════════════════════════ [!] ETHICAL USE NOTICE: Only scan systems you own or have explicit written permission to test. Unauthorized scanning may violate laws including the Computer Fraud and Abuse Act. ══════════════════════════════════════════════════════════════════════ NETWORK SECURITY SCAN REPORT Scan ID : SCAN-20260426-210633 Target : 192.168.31.7 Ports : top100 Threads : 100 Started : 2026-04-26 21:06:33 Finished : 2026-04-26 21:06:35 Duration : 1.1s ══════════════════════════════════════════════════════════════════════ HOST: 192.168.31.7 (SPARCK-G.lan) Risk Level : [HIGH ] Scan time: 1.05s ────────────────────────────────────────────────────────────────────── PORT STATE SERVICE BANNER ────── ──────── ──────────────────── ──────────────────── 135 open MS-RPC 139 open NetBIOS 445 open SMB ────────────────────────────────────────────────────────────────────── VULNERABILITY FINDINGS ────────────────────────────────────────────────────────────────────── [Port 135 — MS-RPC] ⚠ MS-RPC exposed externally — enabled RCE exploits (e.g. MS03-026, Blaster worm) ⚠ DCOM interfaces accessible over port 135 can be abused for lateral movement [Port 139 — NetBIOS] ⚠ NetBIOS exposes machine name, workgroup, and share information ⚠ Linked to EternalBlue SMB exploit chain — used by WannaCry ransomware [Port 445 — SMB] ⚠ SMBv1 is vulnerable to EternalBlue (MS17-010) — used by WannaCry and NotPetya ransomware ⚠ Null session enumeration can expose user accounts and shares ⚠ SMB brute-force attacks are common on internet-exposed systems ══════════════════════════════════════════════════════════════════════ REMEDIATION PLAN — PRIORITY 2 — FIX WITHIN 24 HOURS ══════════════════════════════════════════════════════════════════════ The following steps will resolve the vulnerabilities found on 192.168.31.7. Work through them in order — highest-risk ports first. ┌─ [1] Port 445 (SMB) [HIGH] │ Step 1: DISABLE SMBv1 immediately on Windows: │ 'Set-SmbServerConfiguration -EnableSMB1Protocol $false' in │ PowerShell (run as Admin) │ Step 2: VERIFY SMBv1 is off: 'Get-SmbServerConfiguration | Select │ EnableSMB1Protocol' — should return False │ Step 3: APPLY MS17-010 patch: ensure KB4012212 (Win7) or KB4012215 │ (Win8.1) or KB4013429 (Win10) is installed — check via 'wmic │ qfe list | findstr KB4012' │ Step 4: BLOCK port 445 at perimeter firewall — SMB should NEVER be │ internet-facing │ Step 5: DISABLE null sessions: in registry set │ 'HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous = 2' │ Step 6: ENABLE Windows Defender / EDR to detect lateral movement via SMB │ └─────────────────────────────────────────────────────────────────── ┌─ [2] Port 135 (MS-RPC) [LOW] │ Step 1: BLOCK port 135 at the perimeter firewall — it should NEVER be │ internet-facing │ Step 2: On Windows: open Windows Firewall > Advanced Settings > Inbound │ Rules > disable or restrict 'Remote Procedure Call' rules to │ internal subnets only │ Step 3: DISABLE DCOM if not needed: run 'dcomcnfg', navigate to │ Component Services > Computers > My Computer > Properties > │ Default Properties, uncheck 'Enable Distributed COM on this │ computer' │ Step 4: APPLY all Windows security updates — MS03-026 is patched but │ unpatched systems remain vulnerable │ Step 5: AUDIT with: 'netstat -an | findstr :135' to confirm if actively │ listening │ └─────────────────────────────────────────────────────────────────── ┌─ [3] Port 139 (NetBIOS) [LOW] │ Step 1: DISABLE NetBIOS over TCP/IP: Network Adapter > Properties > │ IPv4 > Advanced > WINS tab > 'Disable NetBIOS over TCP/IP' │ Step 2: BLOCK ports 137-139 at firewall — never expose to internet │ Step 3: DISABLE the Computer Browser service on Windows: 'sc config │ browser start= disabled && net stop browser' │ Step 4: See also port 445 (SMB) remediations — ports 139 and 445 are │ commonly exploited together │ └─────────────────────────────────────────────────────────────────── ══════════════════════════════════════════════════════════════════════ SUMMARY Hosts scanned : 1 Hosts with open ports: 1 Total open ports : 3 High risk hosts : 1 Found 3 open port(s) across 1/1 host(s). Critical risk: 0, High risk: 1. Immediate attention recommended for high/critical hosts. ══════════════════════════════════════════════════════════════════════ ``` ## 合规使用声明 ## 演示的关键技术概念 | 概念 | 使用位置 | |---------|-----------| | 原始 TCP 套接字 (`socket.connect_ex`) | `scan_port()` | | 线程池 (`ThreadPoolExecutor`) | `scan_host()` | | 线程安全的结果收集 (`threading.Lock`) | `scan_host()` 工作线程 | | CIDR / IP 范围解析 (`ipaddress` 模块) | `parse_targets()` | | Banner 获取 (部分 HTTP/原始 recv) | `grab_banner()` | | 风险评分算法 | `compute_risk()` | | 结构化 JSON 序列化 (`dataclass` + `asdict`) | `save_json_report()` | | CLI 参数解析 (`argparse`) | `main()` |

标签：Banner抓取, CIDR扫描, CVE漏洞映射, DNS枚举, GPT, IP扫描, Python, Qt框架, TCP Socket, ThreadPoolExecutor, 云存储安全, 修复计划, 密码管理, 恶意行为检测, 插件系统, 数据统计, 无后门, 服务识别, 漏洞管理, 端口扫描, 网络安全, 网络安全工具, 网络安全扫描器, 网络扫描, 自动化安全报告, 逆向工具, 隐私保护