## https://sploitus.com/exploit?id=6CD9EBCD-E859-51C6-B704-C89AD44C0A4E
# net_exploit_detector.py
Behavioral network exploit detector for macOS home networks. Uses `tcpdump`
as a capture backend and analyzes live traffic for **interaction-level anomalies**
that indicate exploitation in progress β not hash or signature matching.
---
## How it works
Most IDS tools match packet content against a database of known-bad signatures.
This tool takes a different approach: it watches *how hosts are behaving* and
flags traffic patterns that are structurally consistent with attacks regardless
of payload content. Every finding includes verbatim `tcpdump` evidence so you
can judge it yourself.
The pipeline has three stages:
```
tcpdump (subprocess) βββΊ TcpdumpParser βββΊ DetectionEngine βββΊ Report
raw text output per-packet 15 stateful .txt
streamed live structs detectors
```
---
## Detection modules
| # | Module | Technique | Severity |
|---|--------|-----------|----------|
| 1 | **Port Scan** | β₯15 unique dst-ports from one source in 10s | HIGH |
| 2 | **SYN Flood** | β₯40 half-open SYNs/sec from one source | CRITICAL |
| 3 | **ARP Poisoning** | IPβMAC flips, gratuitous reply storms | CRITICAL |
| 4 | **DNS Tunneling** | Labels >40 chars, Shannon entropy β₯3.8, query flood | HIGH |
| 5 | **ICMP Anomaly** | Payloads >256B (tunneling), flood rate | HIGH |
| 6 | **TCP Flag Abuse** | Xmas (FPU), NULL scan, RST/FIN flood | HIGH |
| 7 | **Lateral Movement** | One internal host contacting β₯8 others in 15s | HIGH |
| 8 | **C2 Beaconing** | Regular-interval SYNs to same external host (CV β€0.15) | CRITICAL |
| 9 | **Data Exfiltration** | >5MB outbound to single external IP in 60s | HIGH |
| 10 | **Connection Flood** | >50 new connections/sec to single dst:port | CRITICAL |
| 11 | **Slow Loris** | β₯10 simultaneous half-open connections to same server | HIGH |
| 12 | **HTTP Exploit Probes** | SQLi, directory traversal, Log4Shell, Shellshock in payload | CRITICAL/HIGH |
| 13 | **Cleartext Credentials** | HTTP Basic Auth, FTP PASS, Telnet password in plaintext | HIGH |
| 14 | **SSL Downgrade** | SSLv2/3 hello negotiation (POODLE/BEAST vectors) | HIGH |
| 15 | **LLMNR / NBT-NS Abuse** | Responder-style poisoner activity on ports 5355/137 | MEDIUM |
| 16 | **NTP / SSDP Amplification** | monlist probes, SSDP M-SEARCH recon | HIGH/LOW |
---
## Requirements
- macOS (tested on Ventura / Sonoma)
- Python 3.8 or later
- Xcode Command Line Tools (provides `tcpdump` and the system Python stub)
- `sudo` / root access for packet capture
- No third-party Python libraries required
### Install Xcode CLT if needed
```bash
xcode-select --install
```
Click **Install** in the dialog that appears (not "Get Xcode"). Takes ~5 minutes.
---
## Usage
```bash
# Capture for 2 minutes on the auto-detected interface (default)
sudo python3 net_exploit_detector.py
# Specify interface and duration
sudo python3 net_exploit_detector.py -i en0 -d 300
# Print findings to stdout as they are detected
sudo python3 net_exploit_detector.py -v
# Specify your LAN subnet prefix explicitly
sudo python3 net_exploit_detector.py -n 192.168.1 -d 120
# Write report to a custom filename
sudo python3 net_exploit_detector.py -o /tmp/my_report.txt
# List available interfaces
sudo python3 net_exploit_detector.py --list-interfaces
# Quick shorthand: positional duration argument
sudo python3 net_exploit_detector.py 60
```
### All options
| Flag | Default | Description |
|------|---------|-------------|
| `-i` / `--interface` | auto-detected | Network interface to capture on |
| `-d` / `--duration` | `120` | Capture duration in seconds |
| `-o` / `--output` | auto-named | Output report file path |
| `-n` / `--network` | auto-detected | Home LAN prefix, e.g. `192.168.1` |
| `-v` / `--verbose` | off | Print findings to stdout in real time |
| `--list-interfaces` | β | Print available interfaces and exit |
---
## Output
The report is written to a plain-text file named
`net_exploit_report_YYYYMMDD_HHMMSS.txt` (unless overridden with `-o`).
It contains:
1. **Capture metadata** β interface, duration, packet count, finding counts
2. **Summary table** β all findings grouped by severity with source/destination
3. **Detailed findings** β one block per finding with description and verbatim
`tcpdump` traffic evidence
4. **Methodology footnote** β explains the behavioral approach and false-positive
guidance
Example finding block:
```
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Finding #1 π΄ CRITICAL [C2 Beaconing]
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Timestamp : 14:32:07.441803
Source : 192.168.1.42
Destination: 185.220.101.7:443
192.168.1.42 connecting to 185.220.101.7:443 every 30.1s (CV=0.021 β€ 0.15)
β highly regular interval matches C2 heartbeat pattern
Traffic Evidence:
Interval samples (s): [30.1, 29.9, 30.2, 30.0, 30.1, 30.0, 29.8, 30.2]
Timestamps: [14:27:07, 14:27:37, 14:28:07, 14:28:37, ...]
```
---
## Tuning thresholds
All detection thresholds are centralized in the `Thresholds` class near the top
of the script. Adjust them to match your environment before running:
```python
class Thresholds:
PORT_SCAN_UNIQUE_PORTS = 15 # raise if you have legitimate scanners
SYN_FLOOD_RATE = 40 # lower on quiet networks
BEACON_JITTER_TOLERANCE = 0.15 # raise if legitimate apps look like beacons
EXFIL_BYTES_THRESHOLD = 5_000_000 # raise for homes with large cloud sync
DNS_ENTROPY_THRESHOLD = 3.8 # lower = more sensitive to DNS tunneling
```
---
## Notes on false positives
- **Beaconing**: software update clients (Dropbox, iCloud, telemetry agents)
connect on regular intervals. Check the destination IP before escalating.
- **Port scan**: network scanners you run yourself (Nmap, `netscan`) will
trigger this. Use `-n` to set your LAN prefix so internalβinternal sweeps
are categorized as lateral movement, not external scans.
- **Exfiltration**: Time Machine, iCloud Drive, and large uploads to known-good
services will trigger the bytes threshold. Review the destination IP.
- **LLMNR / NBT-NS**: This fires on *any* host answering LLMNR queries, including
your own legitimate Windows machines. It is a hint, not a verdict.
Every CRITICAL or HIGH finding is worth a manual lookup of the source IP
(`whois`, `dig -x`) before concluding it is malicious.
---
## Architecture
```
net_exploit_detector.py
β
βββ Thresholds β all tunable detection parameters
βββ PacketInfo β dataclass: parsed representation of one packet
βββ TcpdumpParser β buffers multi-line tcpdump output β PacketInfo
βββ DetectionEngine β 16 stateful behavioral detectors
β βββ _check_port_scan
β βββ _check_syn_flood
β βββ _check_arp
β βββ _check_dns
β βββ _check_icmp
β βββ _check_tcp_flags
β βββ _check_lateral
β βββ _check_beaconing
β βββ _check_exfiltration
β βββ _check_conn_flood
β βββ _check_slow_loris
β βββ _check_http_exploit
β βββ _check_cleartext_creds
β βββ _check_ssl_downgrade
β βββ _check_llmnr_nbt
β βββ _check_amplification
βββ Finding β dataclass: one detection result with evidence
βββ generate_report() β formats and writes the .txt report
βββ main() β CLI argument parsing and capture orchestration
```
---
## License
MIT β use freely, modify freely, no warranty.