A Python-based network vulnerability scanner that performs port scanning, service enumeration, banner grabbing, HTTP security header analysis, SSL/TLS auditing, and DNS reconnaissance - with automated vulnerability detection and professional reporting.
- Overview
- Cybersecurity Concepts
- Features
- Architecture
- Installation
- Usage
- Scan Modules
- Project Structure
- Sample Output
- Interview Talking Points
- Disclaimer
This tool performs active reconnaissance and vulnerability assessment against target hosts. It combines multiple scanning techniques into a single automated pipeline, mimicking what professional tools like Nmap, Nikto, and SSLyze do - but built from scratch to demonstrate deep understanding.
The scanner identifies:
- Open ports via TCP SYN/Connect scanning with configurable threading
- Running services through banner grabbing and protocol fingerprinting
- Known vulnerabilities by matching service versions against a vulnerability database
- HTTP security misconfigurations (missing headers, insecure cookies, server info leaks)
- SSL/TLS weaknesses (expired certs, weak protocols, self-signed certs)
- DNS information (subdomains, mail servers, zone transfer attempts)
- Default credentials on common services
Results are compiled into professional JSON and HTML reports.
Vulnerability scanning is the systematic process of probing a system to discover security weaknesses. It sits in the reconnaissance and assessment phase of both:
- Penetration Testing Methodology (PTES): Information Gathering → Vulnerability Analysis
- Cyber Kill Chain: Reconnaissance → Weaponization
| Aspect | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| Goal | Identify vulnerabilities | Exploit vulnerabilities |
| Depth | Broad surface coverage | Deep targeted exploitation |
| Risk | Low (non-destructive) | Higher (may crash services) |
| Automation | Highly automated | Manual + automated |
| Tools | Nessus, OpenVAS, Qualys | Metasploit, Burp Suite, manual |
Our scanner falls in the vulnerability scanning category - it identifies weaknesses without exploiting them.
| Scan Type | Layer | What We Find |
|---|---|---|
| Port Scanning | Transport (L4) | Open ports, running services |
| Banner Grabbing | Application (L7) | Service names and versions |
| HTTP Analysis | Application (L7) | Security misconfigurations |
| SSL/TLS Audit | Session (L5) | Certificate and protocol issues |
| DNS Recon | Application (L7) | Subdomains, mail servers, DNS info |
- Multi-threaded TCP port scanner with configurable thread count and timeout
- Top 1000 ports or custom port ranges with well-known service mapping
- Banner grabbing with protocol-specific probes (HTTP, FTP, SSH, SMTP)
- Vulnerability matching against built-in signature database
- HTTP security header analyzer - checks 10+ security headers
- SSL/TLS certificate and protocol auditor
- DNS reconnaissance - A, AAAA, MX, NS, TXT, SOA records + zone transfer
- Default credential checker for common services
- JSON + HTML report generation with severity ratings
- Configurable via YAML with scan profiles (quick, standard, full)
- Color-coded terminal output with progress indicators
- Rate limiting to avoid overwhelming targets
┌─────────────────────────────────────────────────────────────┐
│ MAIN CONTROLLER │
│ (vuln_scanner.py) │
├─────────┬──────────┬──────────┬──────────┬─────────┬────────┤
│ Port │ Service │ Vuln │ HTTP │ SSL │ DNS │
│ Scanner │ Detector │ Checker │ Analyzer │ Auditor │ Recon │
│ │ │ │ │ │ │
│ TCP Scan│ Banners │ CVE DB │ Headers │ Certs │Records │
│ Threads │ Probes │ Matching │ Cookies │ Protos │SubEnum │
│ Top1000 │ Versions │ Defaults │ Leaks │ Ciphers │ZoneTfr │
├─────────┴──────────┴──────────┴──────────┴─────────┴────────┤
│ REPORT GENERATOR │
│ (JSON + HTML + Console) │
└─────────────────────────────────────────────────────────────┘
- Python 3.8 or higher
- Works on Windows, Linux, and macOS
# Clone the repository
git clone https://github.com/YOUR_USERNAME/vulnerability-scanner.git
cd vulnerability-scanner
# Create virtual environment
python -m venv venv
# Activate (Windows)
venv\Scripts\activate
# Activate (Linux/macOS)
source venv/bin/activate
# Install dependencies
pip install -r requirements.txtpython vuln_scanner.py -t scanme.nmap.org --profile quickpython vuln_scanner.py -t scanme.nmap.orgpython vuln_scanner.py -t scanme.nmap.org --profile full# Specific port range
python vuln_scanner.py -t 192.168.1.1 -p 1-1000
# Specific ports
python vuln_scanner.py -t example.com -p 22,80,443,3306
# Skip certain modules
python vuln_scanner.py -t example.com --skip-ssl --skip-dns
# Custom threads and timeout
python vuln_scanner.py -t 10.0.0.1 --threads 200 --timeout 3
# Output to specific report file
python vuln_scanner.py -t example.com -o reports/scan_results
# Run only specific modules
python vuln_scanner.py -t example.com --modules ports,http,sslDiscovers open TCP ports using connect scanning with multi-threading. Maps ports to known services and determines port state (open/closed/filtered).
Performs banner grabbing on open ports by sending protocol-specific probes. Identifies service names and version numbers for vulnerability matching.
Matches discovered service versions against a built-in vulnerability database. Checks for known CVEs, default credentials, and dangerous configurations.
Inspects HTTP/HTTPS responses for security header compliance including: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, and server information disclosure.
Checks SSL certificates for expiration, self-signing, and weak signatures. Tests for deprecated protocol versions (SSLv3, TLS 1.0, TLS 1.1).
Enumerates DNS records (A, AAAA, MX, NS, TXT, SOA), attempts zone transfers, and performs subdomain discovery using a wordlist.
vulnerability-scanner/
│
├── README.md # This file
├── requirements.txt # Python dependencies
├── config.yaml # Configuration and scan profiles
├── vuln_scanner.py # Main entry point
│
├── modules/
│ ├── __init__.py
│ ├── port_scanner.py # TCP port scanning engine
│ ├── service_detector.py # Banner grabbing and service ID
│ ├── vuln_checker.py # Vulnerability database matching
│ ├── http_analyzer.py # HTTP security header analysis
│ ├── ssl_analyzer.py # SSL/TLS certificate auditing
│ ├── dns_recon.py # DNS enumeration
│ ├── report_generator.py # JSON + HTML report creation
│ └── utils.py # Shared utilities
│
├── tests/
│ ├── __init__.py
│ └── test_scanner.py # Unit tests
│
├── wordlists/
│ └── subdomains.txt # Common subdomain wordlist
│
├── reports/ # Generated scan reports
└── LICENSE
╔══════════════════════════════════════════════════════════════╗
║ VULNERABILITY SCANNER v1.0.0 ║
╚══════════════════════════════════════════════════════════════╝
[*] Target: scanme.nmap.org (45.33.32.156)
[*] Profile: standard | Threads: 100 | Timeout: 2s
[*] Modules: ports, services, vulns, http, ssl, dns
━━━━━━━━━━━━━━━━━━ PORT SCAN ━━━━━━━━━━━━━━━━━━
[✓] Scanning 1000 ports with 100 threads...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1
80/tcp open http Apache httpd 2.4.7
443/tcp open https Apache httpd 2.4.7
9929/tcp open nping-echo Nping echo
Open: 4 | Closed: 996 | Duration: 8.3s
━━━━━━━━━━━━━━━ VULNERABILITIES ━━━━━━━━━━━━━━━
⚠️ [MEDIUM] Apache httpd 2.4.7 - Multiple known CVEs
Affected: Port 80, 443
Advisory: Upgrade to Apache 2.4.58+
⚠️ [LOW] OpenSSH 6.6.1p1 - Older version with known issues
Affected: Port 22
Advisory: Upgrade to OpenSSH 9.0+
━━━━━━━━━━━━━━ HTTP ANALYSIS ━━━━━━━━━━━━━━━━━
🔒 Security Headers (http://scanme.nmap.org)
✗ Strict-Transport-Security MISSING - No HTTPS enforcement
✗ Content-Security-Policy MISSING - XSS risk
✗ X-Frame-Options MISSING - Clickjacking risk
✓ X-Content-Type-Options Present
⚠ Server Apache/2.4.7 - Version exposed
━━━━━━━━━━━━━━━━ SUMMARY ━━━━━━━━━━━━━━━━━━━━━
Total Findings: 12
Critical: 0 | High: 1 | Medium: 4 | Low: 5 | Info: 2
Report saved: reports/scanme.nmap.org_20250316.html
-
"How does your port scanner work?"
- Uses TCP connect scanning with Python's socket library
- Multi-threaded with configurable thread count for speed
- Implements timeout and rate limiting to avoid overwhelming targets
- Maps open ports to well-known services using IANA port assignments
-
"How do you identify running services?"
- Banner grabbing: connect to the port and read the server's greeting
- Protocol-specific probes: send HTTP HEAD request, EHLO for SMTP, etc.
- Version extraction via regex patterns on banner responses
- This is similar to Nmap's -sV (version detection) flag
-
"How does vulnerability matching work?"
- Extracted service versions are compared against a signature database
- Pattern matching identifies known-vulnerable version ranges
- Similar in concept to how Nessus plugin checks work
- Could be extended with NVD/CVE API integration
-
"What HTTP security headers matter?"
- HSTS prevents protocol downgrade attacks
- CSP prevents XSS by whitelisting content sources
- X-Frame-Options prevents clickjacking
- Server header reveals version info useful for attackers
-
"How would you improve this tool?"
- Add UDP scanning for DNS, SNMP, NTP services
- Integrate with NVD API for real-time CVE lookups
- Add authentication scanning (SMB, SSH, FTP)
- Implement SYN scanning (requires raw sockets)
- Add CVSS scoring for vulnerability prioritization
scanme.nmap.org is specifically provided by the Nmap project for authorized testing.
MIT License - see LICENSE file.