netscan: IPv4 public address space scanner

Download

Disclaimer and Explanation

Disclaimer

Software is provided AS IS, without any expectation of support, or warranty. These utilities are meant to be used ONLY for understanding the inner workings of port scanners and RATs (Remote Access Trojans). I do not condone any illegal use, and using it for such purposes would be a breach of the license agreement. I will not be held responsible for any misuse.

Explanation

The purpose was not to create something for illegal purposes. It's simply to understand (at a high level) how this stuff is actually done, and for fun.

Note: There will likely be no more updates to this project.

netscan

IPv4 public address space scanner.

Overview

Environment Information

Can be run on Windows or Linux. Optimally, install it on Linux.

Install with a VPN, and preferably headless, on a locked down system.

Files Included

netscan.py

The core of the netscan program. Scans all public IPv4 internet addresses in order from lowest to highest, looking for commonly exploitable ports. If found, they are logged in a JSON database for further action.

In the case of netscan, it is just a scanner, not an autonomous scanner + exploitation system. The idea is netscan scans, and you can do whatever you want with the information afterwards.

One supplicant script is provided to demonstrate one of the most common exploits for an out-of-date SSH version, ssh-2.0-exploit.py.

scan_database.json

scan_database.json is the core database read from, updated, and maintained by the netscan.py file. Entries contain an IP, when an online host was first seen on that IP, last updated, and opened ports (ports-to-check are defined through a global variable array within netscan.py)

scan_database.json isn't provided, but generated on program run. The general format will look like the following:

{
"1.0.4.18": {
"first_seen": "2025-07-23T22:59:36.043442",
"last_updated": "2025-07-24T09:25:11.530446",
"ports": {
	"22/ssh": {
	"status": "open",
	"banner": "SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.11",
	"last_seen": "2025-07-23T22:59:36.043442"
	},
	"443/https": {
	"status": "open",
	"banner": "",
	"last_seen": "2025-07-24T09:25:11.526049"
	},
	"80/http": {
	"status": "open",
	"banner": "",
	"last_seen": "2025-07-24T09:25:11.530446"
	}
}
},
"1.0.16.9": {
"first_seen": "2025-07-23T23:25:14.983380",
"last_updated": "2025-07-23T23:25:14.983380",
"ports": {
	"22/ssh": {
	"status": "open",
	"banner": "SSH-1.99-Cisco-1.25",
	"last_seen": "2025-07-23T23:25:14.983380"
	}
}
},
...

ssh-2.0-exploit.py

Running python3 ssh-2.0-exploit.py $IP_ADDRESS (default port 22) on an SSH host running some derivative of SSH version 2.0 will attempt an RegreSSHion brute force attack (CVE-2024-6387).

The attack works as follows (explanation taken from https://www.varonis.com/blog/openssh-regresshion-rce-vulnerability):

  1. Establish an SSH connection to the target server
  2. Perform the initial handshake
  3. Use heap spraying to send a sequence of packets that manipulate the server's memory allocation patterns
  4. Measure the server response time to fine-tune the exploit timing
  5. Send a carefully timed packet to exploit the signal handler race condition
  6. Once successfully exploited, deliver a shellcode payload for privileged execution

In this case, as it's only a proof of concept to see how it's done, and as it's primitive, we're only doing step 1, 2, 3, and 5.