feat: add host discovery phase before port scanning

Author: TheOnlyChou

NetSleuth/__init__.py

@@ -16,6 +16,14 @@
 from .utils import is_valid_port, format_duration, calculate_scan_estimate
 from .vuln import Vulnerability, load_cve_db, find_vulnerabilities, create_sample_cve_db
 from .mitre import get_mitre_mapping, get_all_techniques, format_mitre_report
+from .discovery import (
+    HostDiscoveryResult,
+    HostDiscoverySummary,
+    discover_host,
+    discover_hosts,
+    tcp_probe,
+    to_resolved_target_map,
+)
 
 __all__ = [
     "ScanResult",
@@ -41,4 +49,10 @@
     "get_mitre_mapping",
     "get_all_techniques",
     "format_mitre_report",
+    "HostDiscoveryResult",
+    "HostDiscoverySummary",
+    "discover_host",
+    "discover_hosts",
+    "tcp_probe",
+    "to_resolved_target_map",
 ]

NetSleuth/cli.py

@@ -1,13 +1,21 @@
 import argparse
 import json
-from .scanner import resolve_host, scan_targets
+from .scanner import resolve_host, scan_targets_resolved
 from .ports import parse_ports
 from .targets import parse_targets
 from .models import ScanResult
 from .reporter import results_to_dict, write_json, write_ndjson
 from .fingerprint import fingerprint_service
 from .vuln import load_cve_db, find_vulnerabilities
 from .mitre import get_mitre_mapping, format_mitre_report
+from .discovery import discover_hosts, to_resolved_target_map, DEFAULT_DISCOVERY_PORTS
+
+
+def _parse_discovery_ports(spec: str) -> list[int]:
+    ports = parse_ports(spec)
+    if not ports:
+        raise ValueError("Discovery ports cannot be empty")
+    return ports
 
 def format_results(results: list[ScanResult], show_service: bool = False, show_vulns: bool = False) -> str:
     """
@@ -79,6 +87,18 @@ def main(argv: list[str] | None = None) -> int:
     parser.add_argument("--mitre", action="store_true", help="Display MITRE ATT&CK techniques")
     parser.add_argument("--json", dest="json_path", help="Write results to a JSON file")
     parser.add_argument("--ndjson", dest="ndjson_path", help="Write results to an NDJSON file (one result per line)")
+    parser.add_argument("--no-discovery", action="store_true", help="Skip host discovery and scan all resolvable targets")
+    parser.add_argument(
+        "--discovery-ports",
+        default=",".join(str(p) for p in DEFAULT_DISCOVERY_PORTS),
+        help="Discovery probe ports (e.g., '443,80,22')",
+    )
+    parser.add_argument(
+        "--discovery-timeout",
+        type=float,
+        default=0.3,
+        help="Timeout in seconds for host discovery probes (default: 0.3)",
+    )
 
     args = parser.parse_args(argv)
 
@@ -100,24 +120,58 @@ def main(argv: list[str] | None = None) -> int:
             print("=" * 60 + "\n")
 
         # Parse target specification
-        targets = parse_targets(args.target)
+        targets = [t for t in parse_targets(args.target) if t]
         if not targets:
             print(f"No valid targets found in: {args.target}")
             return 1
+
+        # Preserve order while deduplicating targets.
+        targets = list(dict.fromkeys(targets))
 
         # Parse port specification
         ports = parse_ports(args.ports)
+
+        resolved_targets: dict[str, str]
+        if args.no_discovery:
+            resolved_targets = {}
+            unresolved = 0
+            for target in targets:
+                ip = resolve_host(target)
+                if ip is not None:
+                    resolved_targets[target] = ip
+                else:
+                    unresolved += 1
+
+            print(
+                f"Discovery: skipped, {len(resolved_targets)} resolvable target(s), "
+                f"{unresolved} unresolved"
+            )
+        else:
+            discovery_ports = _parse_discovery_ports(args.discovery_ports)
+            summary = discover_hosts(
+                targets,
+                probe_ports=discovery_ports,
+                timeout=args.discovery_timeout,
+                workers=args.workers,
+            )
+            resolved_targets = to_resolved_target_map(summary)
+            print(
+                f"Discovery: {len(summary.alive)} alive, "
+                f"{len(summary.down)} down/unresponsive, "
+                f"{len(summary.unresolved)} unresolved"
+            )
+
+        if not resolved_targets:
+            print("No reachable or resolvable targets to scan.")
+            return 1
 
-        # Scan all targets
-        all_results = scan_targets(targets, ports, args.timeout, args.workers)
+        # Scan discovered/reachable targets
+        all_results = scan_targets_resolved(resolved_targets, ports, args.timeout, args.workers)
 
         # Display results for each target
-        for target, results in all_results.items():
-            ip = resolve_host(target)
-            if ip is None:
-                print(f"\nTarget: {target} (unable to resolve)")
-                continue
-                
+        for target in resolved_targets:
+            results = all_results.get(target, [])
+            ip = resolved_targets[target]
             print(f"\nTarget: {target} ({ip})")
 
             # Apply fingerprinting if requested

NetSleuth/discovery.py

@@ -0,0 +1,159 @@
+import errno
+import socket
+import time
+from dataclasses import dataclass, field
+from queue import Empty, Queue
+from threading import Lock, Thread
+from typing import Dict, Iterable, List, Optional
+
+from .scanner import resolve_host
+
+DEFAULT_DISCOVERY_PORTS = (443, 80, 22)
+
+
+@dataclass
+class HostDiscoveryResult:
+    target: str
+    ip: Optional[str]
+    alive: bool
+    reason: str
+    latency_ms: Optional[float] = None
+
+
+@dataclass
+class HostDiscoverySummary:
+    alive: List[HostDiscoveryResult] = field(default_factory=list)
+    down: List[HostDiscoveryResult] = field(default_factory=list)
+    unresolved: List[HostDiscoveryResult] = field(default_factory=list)
+
+
+def tcp_probe(ip: str, port: int, timeout: float) -> tuple[bool, str, Optional[float]]:
+    """Probe a TCP port and return (is_host_reachable, outcome, latency_ms)."""
+    start = time.perf_counter()
+    try:
+        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
+            sock.settimeout(timeout)
+            code = sock.connect_ex((ip, port))
+        latency_ms = (time.perf_counter() - start) * 1000.0
+
+        if code == 0:
+            return True, "open", latency_ms
+
+        # RST/connection refused indicates the host is reachable.
+        if code == errno.ECONNREFUSED:
+            return True, "refused", latency_ms
+
+        return False, f"code:{code}", latency_ms
+    except socket.timeout:
+        return False, "timeout", (time.perf_counter() - start) * 1000.0
+    except OSError as e:
+        return False, f"error:{e.errno}", (time.perf_counter() - start) * 1000.0
+
+
+def discover_host(target: str, probe_ports: Iterable[int], timeout: float) -> HostDiscoveryResult:
+    """Resolve and probe a single target to determine if it is likely reachable."""
+    ip = resolve_host(target)
+    if ip is None:
+        return HostDiscoveryResult(target=target, ip=None, alive=False, reason="dns_failed")
+
+    for port in probe_ports:
+        alive, outcome, latency_ms = tcp_probe(ip, port, timeout)
+        if alive:
+            return HostDiscoveryResult(
+                target=target,
+                ip=ip,
+                alive=True,
+                reason=f"{outcome}:{port}",
+                latency_ms=latency_ms,
+            )
+
+    return HostDiscoveryResult(target=target, ip=ip, alive=False, reason="all_probes_failed")
+
+
+def _discovery_worker(
+    probe_ports: List[int],
+    timeout: float,
+    q: Queue[str],
+    summary: HostDiscoverySummary,
+    lock: Lock,
+) -> None:
+    while True:
+        try:
+            target = q.get_nowait()
+        except Empty:
+            return
+
+        try:
+            result = discover_host(target, probe_ports, timeout)
+            with lock:
+                if result.ip is None:
+                    summary.unresolved.append(result)
+                elif result.alive:
+                    summary.alive.append(result)
+                else:
+                    summary.down.append(result)
+        finally:
+            q.task_done()
+
+
+def discover_hosts(
+    targets: List[str],
+    probe_ports: List[int] | None = None,
+    timeout: float = 0.3,
+    workers: int = 100,
+) -> HostDiscoverySummary:
+    """
+    Discover reachable hosts from a list of targets.
+
+    A host is considered reachable when any discovery probe returns an open
+    or connection-refused response.
+    """
+    deduped_targets = [t for t in dict.fromkeys(targets) if t]
+    ports = list(probe_ports) if probe_ports else list(DEFAULT_DISCOVERY_PORTS)
+    if not ports:
+        raise ValueError("Discovery probe port list cannot be empty")
+
+    summary = HostDiscoverySummary()
+    if not deduped_targets:
+        return summary
+
+    if workers <= 1:
+        for target in deduped_targets:
+            result = discover_host(target, ports, timeout)
+            if result.ip is None:
+                summary.unresolved.append(result)
+            elif result.alive:
+                summary.alive.append(result)
+            else:
+                summary.down.append(result)
+        return summary
+
+    q: Queue[str] = Queue()
+    for target in deduped_targets:
+        q.put(target)
+
+    lock = Lock()
+    threads: list[Thread] = []
+    w = min(max(1, workers), len(deduped_targets))
+    for _ in range(w):
+        t = Thread(target=_discovery_worker, args=(ports, timeout, q, summary, lock), daemon=True)
+        t.start()
+        threads.append(t)
+
+    q.join()
+    for t in threads:
+        t.join(timeout=0.1)
+
+    # Preserve input order for deterministic output.
+    alive_map = {r.target: r for r in summary.alive}
+    down_map = {r.target: r for r in summary.down}
+    unresolved_map = {r.target: r for r in summary.unresolved}
+    summary.alive = [alive_map[t] for t in deduped_targets if t in alive_map]
+    summary.down = [down_map[t] for t in deduped_targets if t in down_map]
+    summary.unresolved = [unresolved_map[t] for t in deduped_targets if t in unresolved_map]
+    return summary
+
+
+def to_resolved_target_map(summary: HostDiscoverySummary) -> Dict[str, str]:
+    """Return target -> ip mapping for discovered reachable hosts."""
+    return {r.target: r.ip for r in summary.alive if r.ip is not None}

NetSleuth/scanner.py

@@ -69,12 +69,27 @@ def scan_host_ports(host: str, ports: Iterable[int], timeout: float, workers: in
         return []
     return scan_ports(ip, list(ports), timeout=timeout, workers=workers, target=host)
 
+
+def scan_targets_resolved(
+    resolved_targets: Dict[str, str],
+    ports: Iterable[int],
+    timeout: float,
+    workers: int,
+) -> Dict[str, List[ScanResult]]:
+    """Scan multiple targets using a pre-resolved target->ip mapping."""
+    results: Dict[str, List[ScanResult]] = {}
+    for target, ip in resolved_targets.items():
+        results[target] = scan_ports(ip, list(ports), timeout=timeout, workers=workers, target=target)
+    return results
+
 def scan_targets(targets: Iterable[str], ports: Iterable[int], timeout: float, workers: int) -> Dict[str, List[ScanResult]]:
     """Scan multiple targets and return results grouped by target."""
-    results: Dict[str, List[ScanResult]] = {}
+    resolved_targets: Dict[str, str] = {}
     for target in targets:
-        results[target] = scan_host_ports(target, ports, timeout, workers)
-    return results
+        ip = resolve_host(target)
+        if ip is not None:
+            resolved_targets[target] = ip
+    return scan_targets_resolved(resolved_targets, ports, timeout, workers)
 
 def _worker(host: str, timeout: float, q: Queue[int], results: list[ScanResult], lock: Lock, target: str | None = None) -> None:
     while True:

README.md

@@ -418,7 +418,7 @@ NetSleuth is an **educational tool** with intentional limitations:
 
 ## Legal &  Ethical Usage
 
-⚠️ **AUTHORIZATION REQUIRED** - Only scan systems you own or have explicit written permission to test.
+**AUTHORIZATION REQUIRED** - Only scan systems you own or have explicit written permission to test.
 
 Unauthorized scanning may violate:
 - Computer Fraud and Abuse Act (CFAA - US)