Back
Net Scan
NIST SP 800-115
NIST SP 800-115IdentifyDetect

Network Vulnerability Scanner

Automated network reconnaissance and vulnerability identification with CVE mapping

RA-5, CA-8, SI-2NIST 800-53 (RA, CA)

Overview

The Network Vulnerability Scanner performs comprehensive network reconnaissance including host discovery, port enumeration, service fingerprinting, and OS detection. It leverages Nmap under the hood and enriches results with CVE lookups, NIST control mappings, and risk scoring. Output is produced in both structured JSON (for pipeline integration) and human-readable Markdown reports.

Prerequisites

Python 3.8+ with python-nmap package
Nmap 7.80+ installed and accessible in PATH
Root/sudo privileges for SYN scans and OS detection
Written authorization for target network ranges

Capabilities

TCP SYN and Connect scan modes
Service version fingerprinting (-sV)
OS detection with confidence scoring (-O)
Automatic CVE lookup for identified services
Risk scoring using NIST 800-30 5×5 matrix
Structured JSON output for pipeline import
Markdown report generation with findings table

Usage Guide

1

Define Target Scope

Specify the target IP range or subnet. Ensure you have written authorization (Rules of Engagement) before scanning any network.

bash
# Single host
python3 network_scan.py --target 192.168.1.1 --output report.md

# Subnet range
python3 network_scan.py --target 192.168.1.0/24 --output report.md
2

Execute the Scan

Run the scanner with sudo for full SYN scan and OS detection capabilities. The script automatically performs host discovery, port scanning, service fingerprinting, and vulnerability assessment.

bash
sudo python3 network_scan.py \
  --target 10.0.0.0/24 \
  --output /reports/network_scan.md
3

Review Findings

Open the generated Markdown report to review discovered hosts, open ports, identified services, and flagged vulnerabilities with their risk scores.

4

Import into Risk Assessment

Feed the JSON output into the Risk Assessment & Reporting skill for consolidated scoring and POA&M generation.

bash
python3 risk_report.py import-findings \
  --project my-audit \
  --file /reports/network_scan.json

CLI Commands

Scan a single host with default settings (top 1000 ports, service detection, OS fingerprinting).

bash
python3 network_scan.py --target 192.168.1.1 --output scan_report.md
Expected Output
Scanning 192.168.1.1...
Host: 192.168.1.1 (Status: up)
  Port 22/tcp   open  ssh     OpenSSH 8.9p1
  Port 80/tcp   open  http    Apache 2.4.52
  Port 443/tcp  open  https   Apache 2.4.52
OS Detection: Linux 5.15 (98% confidence)
Vulnerabilities found: 1
Report saved to: scan_report.md

Sample Outputs

JSON Output (Pipeline Format)

json
{
  "scan_metadata": {
    "target": "127.0.0.1",
    "scan_date": "2026-03-01T11:30:00Z",
    "nmap_version": "7.94",
    "scan_type": "SYN + Service Detection + OS"
  },
  "hosts": [
    {
      "ip": "127.0.0.1",
      "status": "up",
      "os_match": "Linux 2.6.32 (96%)",
      "ports": [
        {
          "port": 22,
          "protocol": "tcp",
          "state": "open",
          "service": "ssh",
          "version": "OpenSSH 8.9p1",
          "risk_score": 3,
          "risk_level": "LOW"
        },
        {
          "port": 5900,
          "protocol": "tcp",
          "state": "open",
          "service": "vnc",
          "version": "VNC",
          "risk_score": 16,
          "risk_level": "HIGH",
          "vulnerability": "VNC port exposed without encryption"
        }
      ]
    }
  ],
  "summary": {
    "hosts_discovered": 1,
    "open_ports": 4,
    "vulnerabilities": 1
  }
}

Markdown Report Excerpt

markdown
# Network Vulnerability Scan Report
**Target:** 127.0.0.1 | **Date:** 2026-03-01 | **Framework:** NIST SP 800-115

## Port Scan Results
| Port | Proto | State | Service | Version | Risk |
|------|-------|-------|---------|---------|------|
| 22   | tcp   | open  | ssh     | OpenSSH 8.9p1 | LOW |
| 5900 | tcp   | open  | vnc     | VNC     | HIGH |

## Vulnerabilities
### HIGH: VNC Port 5900 Exposed
- **Risk Score:** 16 (Likelihood: 4 × Impact: 4)
- **NIST Control:** SC-7 (Boundary Protection)
- **Remediation:** Restrict VNC access via firewall; use VPN tunnel

NIST Control Mappings

RA-5
Vulnerability Monitoring and Scanning
Risk Assessment

Monitor and scan for vulnerabilities in organizational systems and hosted applications.

CA-8
Penetration Testing
Assessment, Authorization, and Monitoring

Conduct penetration testing on organizational systems.

SI-2
Flaw Remediation
System and Information Integrity

Identify, report, and correct system flaws in a timely manner.

SC-7
Boundary Protection
System and Communications Protection

Monitor and control communications at external and key internal boundaries.

Best Practices

Always obtain written authorization before scanning any network
Start with a limited scope and expand gradually to avoid network disruption
Run scans during maintenance windows to minimize impact on production systems
Use SYN scans (requires root) for faster and stealthier reconnaissance
Cross-reference findings with CVE databases for accurate vulnerability classification
Archive all scan results with timestamps for audit trail compliance

Limitations

Cannot detect application-layer vulnerabilities (use penetration-testing skill)
OS detection accuracy depends on network conditions and host configuration
Firewall rules may cause false negatives on filtered ports
Does not perform authenticated scanning (agent-based assessment)
Back to DashboardNIST SP 800-115 / 800-53 / CSF 2.0 / 800-61 / 800-37