Share
## https://sploitus.com/exploit?id=6CD9EBCD-E859-51C6-B704-C89AD44C0A4E
# net_exploit_detector.py

Behavioral network exploit detector for macOS home networks.  Uses `tcpdump`
as a capture backend and analyzes live traffic for **interaction-level anomalies**
that indicate exploitation in progress β€” not hash or signature matching.

---

## How it works

Most IDS tools match packet content against a database of known-bad signatures.
This tool takes a different approach: it watches *how hosts are behaving* and
flags traffic patterns that are structurally consistent with attacks regardless
of payload content.  Every finding includes verbatim `tcpdump` evidence so you
can judge it yourself.

The pipeline has three stages:

```
tcpdump (subprocess) ──► TcpdumpParser ──► DetectionEngine ──► Report
     raw text output       per-packet          15 stateful         .txt
     streamed live         structs             detectors
```

---

## Detection modules

| # | Module | Technique | Severity |
|---|--------|-----------|----------|
| 1 | **Port Scan** | β‰₯15 unique dst-ports from one source in 10s | HIGH |
| 2 | **SYN Flood** | β‰₯40 half-open SYNs/sec from one source | CRITICAL |
| 3 | **ARP Poisoning** | IP→MAC flips, gratuitous reply storms | CRITICAL |
| 4 | **DNS Tunneling** | Labels >40 chars, Shannon entropy β‰₯3.8, query flood | HIGH |
| 5 | **ICMP Anomaly** | Payloads >256B (tunneling), flood rate | HIGH |
| 6 | **TCP Flag Abuse** | Xmas (FPU), NULL scan, RST/FIN flood | HIGH |
| 7 | **Lateral Movement** | One internal host contacting β‰₯8 others in 15s | HIGH |
| 8 | **C2 Beaconing** | Regular-interval SYNs to same external host (CV ≀0.15) | CRITICAL |
| 9 | **Data Exfiltration** | >5MB outbound to single external IP in 60s | HIGH |
| 10 | **Connection Flood** | >50 new connections/sec to single dst:port | CRITICAL |
| 11 | **Slow Loris** | β‰₯10 simultaneous half-open connections to same server | HIGH |
| 12 | **HTTP Exploit Probes** | SQLi, directory traversal, Log4Shell, Shellshock in payload | CRITICAL/HIGH |
| 13 | **Cleartext Credentials** | HTTP Basic Auth, FTP PASS, Telnet password in plaintext | HIGH |
| 14 | **SSL Downgrade** | SSLv2/3 hello negotiation (POODLE/BEAST vectors) | HIGH |
| 15 | **LLMNR / NBT-NS Abuse** | Responder-style poisoner activity on ports 5355/137 | MEDIUM |
| 16 | **NTP / SSDP Amplification** | monlist probes, SSDP M-SEARCH recon | HIGH/LOW |

---

## Requirements

- macOS (tested on Ventura / Sonoma)
- Python 3.8 or later
- Xcode Command Line Tools (provides `tcpdump` and the system Python stub)
- `sudo` / root access for packet capture
- No third-party Python libraries required

### Install Xcode CLT if needed

```bash
xcode-select --install
```

Click **Install** in the dialog that appears (not "Get Xcode").  Takes ~5 minutes.

---

## Usage

```bash
# Capture for 2 minutes on the auto-detected interface (default)
sudo python3 net_exploit_detector.py

# Specify interface and duration
sudo python3 net_exploit_detector.py -i en0 -d 300

# Print findings to stdout as they are detected
sudo python3 net_exploit_detector.py -v

# Specify your LAN subnet prefix explicitly
sudo python3 net_exploit_detector.py -n 192.168.1 -d 120

# Write report to a custom filename
sudo python3 net_exploit_detector.py -o /tmp/my_report.txt

# List available interfaces
sudo python3 net_exploit_detector.py --list-interfaces

# Quick shorthand: positional duration argument
sudo python3 net_exploit_detector.py 60
```

### All options

| Flag | Default | Description |
|------|---------|-------------|
| `-i` / `--interface` | auto-detected | Network interface to capture on |
| `-d` / `--duration` | `120` | Capture duration in seconds |
| `-o` / `--output` | auto-named | Output report file path |
| `-n` / `--network` | auto-detected | Home LAN prefix, e.g. `192.168.1` |
| `-v` / `--verbose` | off | Print findings to stdout in real time |
| `--list-interfaces` | β€” | Print available interfaces and exit |

---

## Output

The report is written to a plain-text file named
`net_exploit_report_YYYYMMDD_HHMMSS.txt` (unless overridden with `-o`).

It contains:

1. **Capture metadata** β€” interface, duration, packet count, finding counts
2. **Summary table** β€” all findings grouped by severity with source/destination
3. **Detailed findings** β€” one block per finding with description and verbatim
   `tcpdump` traffic evidence
4. **Methodology footnote** β€” explains the behavioral approach and false-positive
   guidance

Example finding block:

```
────────────────────────────────────────────────────────────────────────────────
  Finding #1  πŸ”΄ CRITICAL  [C2 Beaconing]
────────────────────────────────────────────────────────────────────────────────
  Timestamp  : 14:32:07.441803
  Source     : 192.168.1.42
  Destination: 185.220.101.7:443

  192.168.1.42 connecting to 185.220.101.7:443 every 30.1s (CV=0.021 ≀ 0.15)
  β€” highly regular interval matches C2 heartbeat pattern

  Traffic Evidence:
    Interval samples (s): [30.1, 29.9, 30.2, 30.0, 30.1, 30.0, 29.8, 30.2]
    Timestamps: [14:27:07, 14:27:37, 14:28:07, 14:28:37, ...]
```

---

## Tuning thresholds

All detection thresholds are centralized in the `Thresholds` class near the top
of the script.  Adjust them to match your environment before running:

```python
class Thresholds:
    PORT_SCAN_UNIQUE_PORTS  = 15   # raise if you have legitimate scanners
    SYN_FLOOD_RATE          = 40   # lower on quiet networks
    BEACON_JITTER_TOLERANCE = 0.15 # raise if legitimate apps look like beacons
    EXFIL_BYTES_THRESHOLD   = 5_000_000  # raise for homes with large cloud sync
    DNS_ENTROPY_THRESHOLD   = 3.8  # lower = more sensitive to DNS tunneling
```

---

## Notes on false positives

- **Beaconing**: software update clients (Dropbox, iCloud, telemetry agents)
  connect on regular intervals.  Check the destination IP before escalating.
- **Port scan**: network scanners you run yourself (Nmap, `netscan`) will
  trigger this.  Use `-n` to set your LAN prefix so internal→internal sweeps
  are categorized as lateral movement, not external scans.
- **Exfiltration**: Time Machine, iCloud Drive, and large uploads to known-good
  services will trigger the bytes threshold.  Review the destination IP.
- **LLMNR / NBT-NS**: This fires on *any* host answering LLMNR queries, including
  your own legitimate Windows machines.  It is a hint, not a verdict.

Every CRITICAL or HIGH finding is worth a manual lookup of the source IP
(`whois`, `dig -x`) before concluding it is malicious.

---

## Architecture

```
net_exploit_detector.py
β”‚
β”œβ”€β”€ Thresholds          β€” all tunable detection parameters
β”œβ”€β”€ PacketInfo          β€” dataclass: parsed representation of one packet
β”œβ”€β”€ TcpdumpParser       β€” buffers multi-line tcpdump output β†’ PacketInfo
β”œβ”€β”€ DetectionEngine     β€” 16 stateful behavioral detectors
β”‚   β”œβ”€β”€ _check_port_scan
β”‚   β”œβ”€β”€ _check_syn_flood
β”‚   β”œβ”€β”€ _check_arp
β”‚   β”œβ”€β”€ _check_dns
β”‚   β”œβ”€β”€ _check_icmp
β”‚   β”œβ”€β”€ _check_tcp_flags
β”‚   β”œβ”€β”€ _check_lateral
β”‚   β”œβ”€β”€ _check_beaconing
β”‚   β”œβ”€β”€ _check_exfiltration
β”‚   β”œβ”€β”€ _check_conn_flood
β”‚   β”œβ”€β”€ _check_slow_loris
β”‚   β”œβ”€β”€ _check_http_exploit
β”‚   β”œβ”€β”€ _check_cleartext_creds
β”‚   β”œβ”€β”€ _check_ssl_downgrade
β”‚   β”œβ”€β”€ _check_llmnr_nbt
β”‚   └── _check_amplification
β”œβ”€β”€ Finding             β€” dataclass: one detection result with evidence
β”œβ”€β”€ generate_report()   β€” formats and writes the .txt report
└── main()              β€” CLI argument parsing and capture orchestration
```

---

## License

MIT β€” use freely, modify freely, no warranty.