Performs authorized network host discovery, port scanning, service identification, CVE vulnerability detection, SSL/TLS analysis, traceroute, and subdomain e...
# Network Scanner — EdgeIQ Professional
**Version:** `1.2.0`
**Skill Name:** `network-scanner`
**Category:** Security / Reconnaissance
**Tiers:** Free v1 | Pro ($29/mo) | Bundle ($39/mo)
**Author:** EdgeIQ Labs
**OpenClaw Compatible:** Yes — Python 3, pure stdlib, WSL + Windows
---
## What It Does
Professional-grade network reconnaissance: host discovery, full-spectrum port scanning, service fingerprinting, CVE matching, SSL/TLS analysis, traceroute, subdomain enumeration, and vulnerability classification — **without nmap**. Pure Python sockets, works on WSL/Linux and Windows.
Designed for **authorized security auditing of networks you own or have explicit written permission to scan**.
> ⚠️ **Legal Notice:** Only scan networks you own or have explicit written permission to audit. Unauthorized scanning is illegal. This tool is for defensive security professionals, penetration testers, and network administrators.
---
## Features
### Core Capabilities
- **Host Discovery** — ICMP ping + TCP connect probe (works through firewalls)
- **Port Scanning** — Full spectrum: quick (9) / normal (20) / intense (100) / full (1–1024) / deep (1–65535)
- **Service Banner Grabbing** — Identify services and exact version strings from open ports
- **HTTP/HTTPS Fingerprinting** — Server detection, tech stack identification (WordPress, IIS, nginx, etc.), title grabbing, redirect following
- **SSL/TLS Security Grading** — Certificate analysis, protocol detection, cipher inspection, grade assignment (A–F)
- **OS Fingerprinting** — TTL + window size + open-port pattern heuristics (Linux/Windows/BSD/macOS detection)
- **CVE Matching** — Local database of 40+ CVEs for common services (Apache, nginx, OpenSSH, MySQL, PostgreSQL, Redis, SMB, OpenSSL, MSSQL, VNC, RDP, DNS, SMTP, telnet, MongoDB, etc.)
- **Vulnerability Classification** — Each open port tagged CRITICAL / HIGH / MEDIUM / LOW / NONE
- **Subdomain Enumeration** — DNS lookup of 35+ common subdomain prefixes against discovered hosts
- **Traceroute** — Network path analysis with per-hop RTT (Linux `traceroute`, Windows fallback)
- **Pure Python** — Zero external dependencies (cryptography optional, degrades gracefully)
- **Cross-Platform** — WSL/Linux + Windows + macOS
- **Concurrent Scanning** — Multi-threaded ThreadPoolExecutor (configurable up to 150 workers)
### Operational Features
- **Rate Limiting** — `--rate-delay` for stealth/stealth scanning (e.g. `--rate-delay 0.05`)
- **Proxy Support** — HTTP/SOCKS proxy via `--proxy socks5://host:port`
- **Signal Handling** — Graceful Ctrl+C (finishes current hosts, then exits cleanly)
- **Quiet/Automation Mode** — `--quiet` suppresses progress, exit codes for CI/CD:
- `0` = clean scan, no high-risk findings
- `2` = interrupted
- `3` = CRITICAL CVE found
- `4` = HIGH CVE found
- **Custom Port Range** — `--port-range 1-10000` or `--port-range 1-65535`
- **Output Formats** — Discord (emoji-rich), Simple (CLI), JSON (machine-readable), HTML (polished report)
- **File Export** — `--output report.html` / `--output scan.json`
---
## Installation
```bash
# Direct run
python3 /home/guy/.openclaw/workspace/apps/network-scanner/scanner.py
# As OpenClaw skill — copy into skills folder
cp -r /home/guy/.openclaw/workspace/apps/network-scanner ~/.openclaw/skills/network-scanner
# Optional: make it executable
chmod +x /home/guy/.openclaw/workspace/apps/network-scanner/scanner.py
```
---
## Scan Depth Tiers
| Depth | Ports Scanned | Best For |
|-------|--------------|----------|
| `quick` | 9 | Fast local discovery |
| `normal` | 20 | General reconnaissance |
| `intense` | 100 | Full vulnerability assessment |
| `full` | 1–1024 | Complete well-known port sweep |
| `deep` | 1–65535 | Full spectrum (slow, loud) |
---
## Usage Examples
### Basic Scans
```bash
# Quick local scan
python3 scanner.py 192.168.1.0/24 quick
# Normal scan
python3 scanner.py 10.5.1.1 normal
# Intense scan with traceroute + subdomains
python3 scanner.py 10.5.1.1 intense --traceroute --subdomains
# Full well-known port scan (1–1024)
python3 scanner.py 192.168.1.1 full
# Full 65k port deep scan
python3 scanner.py 192.168.1.1 deep
# Custom port range
python3 scanner.py 10.5.1.1 custom --port-range 1-10000
```
### Advanced Features
```bash
# Slow/stealth scan with rate limiting
python3 scanner.py 192.168.1.0/24 normal --rate-delay 0.05 --workers 50
# High-concurrency scan (150 workers)
python3 scanner.py 10.0.0.1 intense --workers 150 --timeout 1.0
# Traceroute + subdomains + SSL analysis
python3 scanner.py target.example.com full --traceroute --subdomains
# Export JSON for automation
python3 scanner.py 192.168.1.1 intense --format json --output scan.json
# Export HTML report
python3 scanner.py 192.168.1.1 intense --format html --output report.html
# Local network discovery
python3 scanner.py --local-scan normal
# Full subnet local scan
python3 scanner.py --local full
```
### As Discord Command
In `#net-scan` channel:
```
!net 192.168.1.0/24 quick
!net 10.5.1.1 intense --traceroute --subdomains
!net scanme.nmap.org full
!net local quick
!net example.com full --format html
```
---
## Output Format Examples
### Discord Format
```
🔍 EdgeIQ Scan Report — `192.168.1.1`
Mode: `intense` | Risk: 🟠 HIGH | Duration: `12.3s`
🟢 192.168.1.1 — server.example.com `2.1ms` | 5 ports | HIGH
└ OS: `Linux/Unix (TTL≈64); Linux/Unix Server`
└ Subdomains: `www.example.com`, `mail.example.com`
└ Route: → 192.168.1.1
80 http Apache/2.4.41 🟠 HIGH — Apache path traversal
443 https nginx/1.18.0 [SSL: B] — Self-signed certificate
22 ssh OpenSSH_8.0 MEDIUM — User enumeration via timing
3306 mysql MySQL/5.7.29 🔴 CRITICAL — Auth bypass (CVE-2012-2122)
─── Stats: 1 hosts | 100 ports scanned | 2 errors
```
### JSON Output
```json
{
"target": "192.168.1.1",
"scan_type": "intense",
"timestamp": "2026-04-22 14:38:00",
"duration_s": 12.3,
"hosts": [{
"ip": "192.168.1.1",
"hostname": "server.example.com",
"is_alive": true,
"rtt_ms": 2.1,
"ttl": 64,
"os_guess": "Linux/Unix (TTL≈64)",
"ports": {
"80": {
"port": 80, "state": "open", "service": "http",
"version": "Apache/2.4.41",
"banner": "Apache/2.4.41 (Ubuntu)",
"cves": [{"cve": "CVE-2017-15710", "level": "MEDIUM", ...}],
"vuln_level": "HIGH",
"http_fingerprint": {"server": "Apache/2.4.41", "tech_stack": ["PHP", "WordPress"]}
}
}
}]
}
```
---
## Tier Comparison
| Feature | Free (v1) | Pro ($29/mo) | Bundle ($39/mo) |
|---------|-----------|--------------|-----------------|
| Port depth | 1–1024 | Full (1–65535) | Full (1–65535) |
| CVE database | Local (~40 entries) | Extended (~200 entries) | Full (~500 entries) |
| Traceroute | ❌ | ✅ | ✅ |
| Subdomain enum | ❌ | ✅ | ✅ |
| Output: HTML report | ❌ | ✅ | ✅ |
| Output: JSON report | ✅ | ✅ | ✅ |
| Output: Discord/Simple | ✅ | ✅ | ✅ |
| Scheduled scans | ❌ | ✅ | ✅ |
| Delta comparison | ❌ | ✅ | ✅ |
| Alert delivery | ❌ | Discord/Telegram/Email | All |
| Proxy support | ❌ | ✅ | ✅ |
| Rate limiting | ✅ | ✅ | ✅ |
| File export | ❌ | ✅ | ✅ |
| Support | Community | Priority | Priority + onboarding |
---
## CVE Coverage
Current local database includes (partial list):
| Service | CVEs Matched |
|---------|-------------|
| Apache httpd | CVE-2024-27316, CVE-2022-31813, CVE-2017-15710 |
| nginx | CVE-2021-23017, CVE-2019-9511/9513/9516, CVE-2013-2028 |
| OpenSSH | CVE-2020-15778, CVE-2018-15473, CVE-2019-6109, CVE-2019-6111 |
| MySQL | CVE-2012-2122, CVE-2018-2562, CVE-2020-2574 |
| PostgreSQL | CVE-2019-9193, CVE-2022-41862 |
| Redis | CVE-2018-11218, CVE-2018-11219, CVE-2019-10192 |
| SMB/Samba | CVE-2017-0144 (EternalBlue) |
| OpenSSL | CVE-2014-0160 (Heartbleed), CVE-2022-0778, CVE-2014-0224 (CCS) |
| MSSQL | CVE-2019-1068, CVE-2019-1069 |
| VNC | CVE-2006-2369, CVE-2015-5239 |
| RDP | CVE-2019-0708 (BlueKeep), CVE-2022-21999 |
| DNS/BIND | CVE-2020-1350 (SIGRed) |
| SMTP/Exim | CVE-2019-10149 |
| telnetd | CVE-2020-10188 |
| MongoDB | CVE-2019-2389 |
| vsftpd | CVE-2011-2523 (backdoor) |
Vuln level derives from CVE severity: CRITICAL > HIGH > MEDIUM > LOW.
---
## Architecture
- **Language:** Python 3 (pure stdlib — no external dependencies)
- **Optional:** `cryptography` library for enhanced SSL certificate parsing (auto-skipped if unavailable)
- **Concurrency:** `concurrent.futures.ThreadPoolExecutor` (configurable workers)
- **Scan Types:** ICMP probe, TCP connect scan, ICMP ping, UDP probe, banner grab, HTTP fingerprint, SSL handshake, DNS lookup, traceroute (ICMP/UDP)
- **Supported Platforms:** Linux/WSL, Windows, macOS
- **Dependencies:** `socket`, `concurrent.futures`, `struct`, `random`, `time`, `ipaddress`, `argparse`, `json`, `ssl`, `hashlib`, `re`, `datetime`, `signal`
---
## Exit Codes (Automation)
| Code | Meaning |
|------|---------|
| `0` | Scan complete, no CRITICAL/HIGH CVEs found |
| `1` | General error |
| `2` | Interrupted (Ctrl+C) |
| `3` | CRITICAL CVE found |
| `4` | HIGH CVE found |
---
## Legal & Ethical Use
This tool is for:
- Network administrators auditing their own infrastructure
- Penetration testers assessing client networks with authorization
- Bug bounty researchers (with program approval)
- Security researchers studying their own networks
This tool must NOT be used:
- Against networks without explicit written permission
- On public infrastructure you don't own
- For any unauthorized access or reconnaissance
---
## Upgrade Links
- **Network Pro ($29/mo):** https://buy.stripe.com/7sYaEZeCn5934nW8AE7wA01
- **XSS Pro ($19/mo):** https://buy.stripe.com/3cI14p0Lxbxr8Ec8AE7wA00
- **Bundle ($39/mo — Network + XSS + more):** https://buy.stripe.com/aFabJ3am79pjg6E18c7wA02
---
## Support
Email: gpalmieri21@gmail.com
Discord: https://discord.gg/aPhSnrU9
Site: https://edgeiqlabs.comdon't have the plugin yet? install it then click "run inline in claude" again.
extracted and formalized host discovery/port scanning/service fingerprinting/cve matching/ssl analysis/traceroute/subdomain enum into explicit procedures with edge cases, added decision trees for icmp fallback/proxy tiers/format branching, clarified exit codes and data contracts, preserved original tier/feature matrix as reference.
run authorized network reconnaissance: host discovery, port scanning, service fingerprinting, CVE matching, SSL/TLS grading, traceroute, and subdomain enumeration. use this when you need to audit infrastructure you own or have explicit written permission to scan. pure python, no nmap, works on linux/wsl/windows. illegal to scan networks without authorization.
Required:
192.168.1.1), CIDR block (e.g. 192.168.1.0/24), domain name (e.g. example.com), or --local for local subnet discovery.quick (9 ports), normal (20 ports), intense (100 ports), full (1-1024 ports), deep (1-65535 ports), or custom (requires --port-range).Optional:
--port-range START-END: custom port range (e.g. 1-10000). only with custom depth.--traceroute: enable network path analysis (shows hops to target). linux/wsl only; windows falls back to ipv4 ping.--subdomains: enumerate 35+ common subdomain prefixes via DNS lookup against discovered hosts.--workers N: thread pool size (default 10, max 150). higher = faster but louder; lower = stealthier.--rate-delay SECONDS: pause between requests (e.g. 0.05 for 50ms delay). stealth mode.--timeout SECONDS: per-connection timeout (default 3.0s). lower = faster but may miss slow services.--proxy PROXY_URL: http or socks5 proxy (e.g. socks5://127.0.0.1:1080). pro tier only.--format FORMAT: output style: discord (emoji-rich), simple (cli), json (machine), html (report). default simple.--output FILE: write results to file (e.g. report.html, scan.json). default stdout.--quiet: suppress progress output. exit codes only (0/2/3/4).Environment/Setup:
cryptography library optional for enhanced ssl cert parsing (auto-skipped if missing).parse cli arguments and validate target.
192.168.1.0/33) fails with explicit error message.resolve hostnames to ip addresses (if needed).
perform host discovery (icmp ping + tcp connect probe on port 80/443).
os fingerprinting via ttl, window size, and port pattern heuristics.
scan ports based on depth tier.
banner grab and service fingerprinting on each open port.
http/https fingerprinting (if port 80 or 443 open).
ssl/tls analysis (if port 443 or custom https port open).
cve matching against local database.
vulnerability severity classification per port.
subdomain enumeration (if --subdomains flag set).
traceroute to target (if --traceroute flag set and linux/wsl).
format output (discord, simple, json, or html).
log summary stats and exit with appropriate code.
if target is --local or --local-scan flag: scan the local subnet (e.g. 192.168.1.0/24) using arp/icmp discovery. else: treat target as explicit ip/domain/cidr.
if icmp ping succeeds on a host: mark host as alive, use ttl for os fingerprinting. else if tcp connect probe on port 80/443 succeeds: mark host as alive (firewall blocks icmp). else: mark host as down, skip scanning (unless user overrides with --force).
if port is 80 or 443: perform http/https fingerprinting (server header, tech stack, title). else if banner grab succeeds: record service + version only.
if port is 443 or custom https port: perform ssl/tls analysis and grading. else: skip ssl checks.
if service version is identified: query cve database for matches. else: skip cve matching for that port, mark vuln_level as none.
if --subdomains flag set: enumerate subdomains against each discovered hostname. else: skip subdomain enum.
if --traceroute flag set and (linux or wsl): run traceroute. else if windows: fallback to ping only. else if not set: skip traceroute.
if --format is json: output machine-readable json. else if html: output html report (requires template, fallback to json if missing). else if discord: output emoji-rich discord markdown. else (simple): output plain cli text.
if --output FILE specified: write results to file. else: write to stdout.
if --quiet flag set: suppress all progress output during scan, print only summary and exit code. else: print per-host progress and timings.
if critical or high cve found during scan: exit code 3 or 4 respectively. else if scan interrupted: code 2. else if scan completes clean: code 0.
if --workers > 150: cap at 150 (hard limit). warn user.
if --rate-delay specified and --workers high: rate-delay may be ignored per thread (threads still run concurrent). document: rate-delay applies per worker, not global.
if cryptography lib missing: ssl cert parsing degraded; tls handshake still works. warn once, continue.
if proxy specified but free tier: error (pro tier feature). else: use proxy for all outbound connections.
if dns lookup for hostname fails: log warning, skip that hostname. if all targets fail dns, exit code 1.
if network timeout mid-port-scan: log error per host, continue to next host.
Exit codes:
Data format (JSON output example):
{
"target": "192.168.1.1",
"scan_type": "intense",
"timestamp": "2026-04-22 14:38:00",
"duration_s": 12.3,
"hosts": [
{
"ip": "192.168.1.1",
"hostname": "server.example.com",
"is_alive": true,
"rtt_ms": 2.1,
"ttl": 64,
"os_guess": "Linux/Unix (TTL≈64)",
"ports": {
"80": {
"port": 80,
"state": "open",
"service": "http",
"version": "Apache/2.4.41",
"banner": "Apache/2.4.41 (Ubuntu)",
"vuln_level": "HIGH",
"cves": [
{
"cve": "CVE-2017-15710",
"severity": "MEDIUM",
"description": "..."
}
],
"http_fingerprint": {
"server": "Apache/2.4.41",
"tech_stack": ["PHP", "WordPress"],
"title": "My Site"
}
},
"443": {
"port": 443,
"state": "open",
"service": "https",
"version": "nginx/1.18.0",
"ssl": {
"subject": "CN=example.com",
"issuer": "CN=Let's Encrypt",
"expiry": "2027-05-15",
"protocol": "TLSv1.3",
"grade": "A",
"warnings": []
},
"vuln_level": "NONE"
}
},
"subdomains": ["www.example.com", "mail.example.com"],
"traceroute": [
{"hop": 1, "ip": "192.168.1.1", "rtt_ms": 2.1, "hostname": "gateway"},
{"hop": 2, "ip": "10.0.0.1", "rtt_ms": 5.3, "hostname": "isp-router"}
]
}
],
"stats": {
"hosts_scanned": 1,
"hosts_alive": 1,
"ports_scanned": 100,
"ports_open": 5,
"critical_cves": 0,
"high_cves": 1
}
}
File locations:
--output report.html: html report written to report.html (in current dir).--output scan.json: json written to scan.json.--output: results printed to stdout.Discord format (emoji-rich example):
🔍 EdgeIQ Scan Report , `192.168.1.1`
Mode: `intense` | Risk: 🟠 HIGH | Duration: `12.3s`
🟢 192.168.1.1 , server.example.com `2.1ms` | 5 ports | HIGH
└ OS: `Linux/Unix (TTL≈64)`
└ Subdomains: `www.example.com`, `mail.example.com`
80 http Apache/2.4.41 🟠 HIGH
443 https nginx/1.18.0 [SSL: A]
─── Stats: 1 hosts | 100 ports scanned
--output set).--quiet: only exit code and final summary shown.--format json: machine can parse results (curl to webhook, import to siem, etc.).--format html: browser opens polished report with charts.--format discord: webhook post appears in slack/discord channel with emoji-rich formatting.credits: edgeiq-labs. original design and cve database. support: gpalmieri21@gmail.com, discord.gg/aPhSnrU9, edgeiqlabs.com.