Share
## https://sploitus.com/exploit?id=A935BABF-D0CA-5A2A-98CF-6768FC0E8297
# IPDevicePenTest
**Automated penetration testing framework for IP-connected devices** โ IoT, routers, IP cameras, OT/ICS equipment, and network infrastructure.
> **Legal Disclaimer:** This tool is designed for **authorised penetration testing only**. You must have explicit written permission from the system owner before scanning or testing any device. Unauthorised use may violate the Computer Fraud and Abuse Act (CFAA), Computer Misuse Act, and similar legislation in your jurisdiction.
---
## Overview
IPDevicePenTest is a full-stack offensive security framework with a dark-themed PyQt6 GUI and a Rich-powered CLI. It automates the complete pentest lifecycle for IP-connected devices:
- **Discovery** โ nmap-based host/port scanning with TCP-connect fallback (no root required)
- **Fingerprinting** โ 25+ device signatures classifying routers, cameras, PLCs, OT/ICS devices
- **Vulnerability Assessment** โ service version checks, default credential testing, web vulnerability scanning
- **Exploitation** โ 9 protocol-specific exploit modules covering all major attack surfaces
- **Advanced Analysis** โ CVE banner matching, ICS protocol exposure, unauthenticated service detection
- **Findings Viewer** โ four-severity-tab GUI with evidence preview and learnings editor
- **Evidence Capture** โ structured storage of scan output, banners, and exploitation proof
- **Reporting** โ (Phase 5, in progress)
---
## Architecture
```
ipdevpentest/
โโโ core/
โ โโโ models.py # SQLAlchemy ORM: Project, Target, Scan, Port, Finding, Evidence, Credential
โ โโโ database.py # Session factory (expire_on_commit=False), init_db()
โ โโโ config.py # Scan profiles: quick / standard / deep
โ โโโ scan_engine.py # Orchestrator: discovery โ fingerprint โ vuln โ exploit
โ โโโ discovery.py # nmap_scan(), nmap_discovery(), basic_port_scan(), ping_sweep_tcp()
โ โโโ fingerprint.py # 25+ device signatures, classify_device(), enrich_target_from_scan()
โ โโโ vuln_scanner.py # check_default_credentials(), check_web_vulnerabilities(), etc.
โ โโโ advanced_scanner.py # Banner CVE scan, ICS exposure, unauthenticated service checks
โ โโโ cve_database.py # 25-entry local CVE database with banner regex matching
โ โโโ target_manager.py # CRUD for Projects/Targets, CIDR/range expansion, CSV import
โ โโโ evidence.py # Text/file evidence linked to scans/findings
โ โโโ exploits/
โ โโโ exploit_base.py # ExploitResult dataclass โ VulnFinding converter
โ โโโ ssh_exploit.py # Banner CVEs, brute-force, post-auth recon, user enum (CVE-2018-15473)
โ โโโ http_exploit.py # Dir bust, LFI, CMDi, Netgear/D-Link/Hikvision/Dahua/Cisco CVEs
โ โโโ ftp_exploit.py # vsftpd backdoor (CVE-2011-2523), anonymous login, brute-force
โ โโโ telnet_exploit.py # Brute-force, IAC-negotiating client, post-auth command execution
โ โโโ snmp_exploit.py # Community string brute, MIB walk, SNMP SET write exploit
โ โโโ rtsp_exploit.py # 38-path stream enum, Basic+Digest auth brute-force
โ โโโ smb_exploit.py # EternalBlue check, null session, share enum, brute-force
โ โโโ modbus_exploit.py # Register/coil read (no auth), unauthenticated write test
โ โโโ upnp_exploit.py # SSDP discovery, IGD AddPortMapping exploit, external IP leak
โโโ gui/
โ โโโ main_window.py # QMainWindow: sidebar + stacked pages, legal disclaimer
โ โโโ theme.py # Dark QSS stylesheet, severity/category colour constants
โ โโโ widgets/
โ โโโ dashboard_widget.py # Live stats: targets, scans, critical findings
โ โโโ target_widget.py # Add/edit/delete targets, CIDR/range import
โ โโโ scan_widget.py # Scan profile config, live log console, progress bar
โ โโโ findings_widget.py # Four-tab findings viewer + detail panel + learnings editor
โ โโโ evidence_widget.py # Evidence gallery with type icons and content preview
โ โโโ log_console.py # Colour-coded QPlainTextEdit log with level filtering
โ โโโ sidebar.py # Navigation sidebar with active-state styling
โโโ cli/
โ โโโ commands/ # Click CLI: project, target, scan, findings commands
โโโ utils/
โโโ logger.py
โโโ network.py
```
---
## Installation
### Prerequisites
- Python 3.11+
- `nmap` installed and on PATH (`sudo apt install nmap` / `brew install nmap`)
- No root required for standard scans (root enables OS detection but is not needed)
### Setup
```bash
git clone https://github.com/VU3RAZ/IPDevicePenTest.git
cd IPDevicePenTest
python3 -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
pip install -r requirements.txt
```
### Dependencies
| Package | Purpose |
|---------|---------|
| `pyqt6` | Dark-themed GUI framework |
| `sqlalchemy` | ORM + SQLite database |
| `python-nmap` | Port scanning and service detection |
| `paramiko` | SSH brute-force and post-auth exploitation |
| `impacket` | SMB null session, share enumeration, EternalBlue |
| `pysnmp` | SNMP community brute-force and MIB walk |
| `pymodbus` | Modbus/TCP register read/write |
| `scapy` | Raw packet crafting |
| `requests` | HTTP exploit modules |
| `rich` | CLI output formatting |
| `reportlab` + `jinja2` | Report generation (Phase 5) |
---
## Usage
### GUI (recommended)
```bash
python3 gui_main.py
```
**Workflow:**
1. Accept the legal disclaimer
2. **Dashboard** โ Create a new project (`Ctrl+N`)
3. **Targets** โ Add IPs, CIDR ranges, or import CSV
4. **Scan** โ Choose profile, click Start (`Ctrl+R`)
5. **Findings** (`Ctrl+F`) โ Review by severity tab, add learnings, mark false positives
6. **Evidence** โ Browse captured banners, nmap output, exploit proof
### CLI
```bash
# Project management
python3 main.py project create "Lab Network"
python3 main.py project list
# Target management
python3 main.py target add --project 1 192.168.1.0/24
python3 main.py target list --project 1
# Scanning
python3 main.py scan run --project 1 --profile standard
python3 main.py scan run --project 1 --profile deep # runs all exploit modules
# Findings
python3 main.py findings list --project 1 --severity critical
```
---
## Scan Profiles
| Profile | Port Scan | Fingerprint | Vuln Scan | Exploit Modules |
|---------|-----------|-------------|-----------|-----------------|
| `quick` | Top 100 TCP | No | No | No |
| `standard` | Top 1000 TCP | Yes | Yes | No |
| `deep` | All 65535 TCP, scripts | Yes | Yes | **All 9 modules** |
---
## Exploit Modules
All modules run automatically in `deep` profile. Each returns structured `ExploitResult` objects that are stored as `Finding` records with full evidence.
### SSH (`ssh_exploit.py`)
- Banner CVE matching (OpenSSH 2.xโ7.1, Dropbear)
- Credential brute-force with post-auth recon: `id`, `uname -a`, `/etc/passwd`, `/etc/shadow`, SUID binaries
- Username enumeration via timing (CVE-2018-15473, OpenSSH < 7.7)
### HTTP (`http_exploit.py`)
- Directory busting (50+ common paths)
- Local File Inclusion via 12 parameters ร 4 payloads
- OS command injection via 13 parameters ร 4 payloads with regex verification
- Device-specific CVEs:
- **CVE-2017-6862** โ Netgear password disclosure / RCE
- **CVE-2019-16920** โ D-Link unauthenticated command injection
- **CVE-2021-36260** โ Hikvision XML injection RCE
- **CVE-2021-33044** โ Dahua authentication bypass
- **CVE-2018-0171** โ Cisco Smart Install RCE (port 4786)
- HNAP SOAPAction authentication bypass
### FTP (`ftp_exploit.py`)
- **CVE-2011-2523** โ vsftpd 2.3.4 smiley-face backdoor โ root shell on port 6200
- Anonymous FTP access + recursive file listing + sensitive file grabbing
- Credential brute-force
### Telnet (`telnet_exploit.py`)
- Minimal telnet client with full IAC negotiation
- Credential brute-force with post-auth command execution
- Banner CVE detection (Cisco IOS, BusyBox, GNU inetutils)
### SNMP (`snmp_exploit.py`)
- Community string brute-force (24 common strings, SNMPv1/v2c)
- Full MIB walk: interfaces, IP table, TCP connections, running processes, installed software, users, shares
- SNMP SET write exploitation (confirms writable community access)
### RTSP (`rtsp_exploit.py`)
- 38-path stream enumeration for unauthenticated camera access
- Basic and Digest authentication brute-force
- Extracts stream URLs for all accessible feeds
### SMB (`smb_exploit.py`)
- **CVE-2017-0144** โ MS17-010 EternalBlue probe (safe, non-exploiting)
- Null/guest session enumeration
- Share listing and file enumeration
- Credential brute-force with impacket
### Modbus/TCP (`modbus_exploit.py`)
- Raw TCP probe (no root, no library required)
- Unauthenticated holding register, input register, and coil reads
- Write test to confirm unauthenticated write access (ICS impact demonstration)
- Scans unit IDs 0โ31
### UPnP (`upnp_exploit.py`)
- SSDP multicast discovery
- Device description XML parsing and service enumeration
- IGD `AddPortMapping` exploit โ confirms writable firewall rules
- External IP address leak via `GetExternalIPAddress`
---
## CVE Database
Local CVE matching engine (`cve_database.py`) with 25 curated entries covering:
- SSH: CVE-2001-0144, CVE-2003-0693, CVE-2006-5051, CVE-2016-0777, CVE-2018-15473, CVE-2016-7406
- FTP: CVE-2011-2523, CVE-2010-4221
- HTTP: CVE-2017-6862, CVE-2019-16920, CVE-2021-36260, CVE-2021-33044, CVE-2018-0171
- Telnet: CVE-2020-10188
- SMB: CVE-2017-0144 (EternalBlue), CVE-2019-0708 (BlueKeep)
- SNMP: CVE-2017-6736
- UPnP: CVE-2013-0229, CVE-2020-12695 (CallStranger)
- Modbus/ICS: CVE-2018-10952
- Routers/Cameras: CVE-2022-30525, CVE-2023-1389, CVE-2022-26134, CVE-2014-9583, CVE-2021-20091
Matching runs on every banner grabbed during scanning and is integrated into the advanced scanner pass that runs on all scan profiles.
---
## Advanced Scanner
`advanced_scanner.py` runs on every scan (all profiles) and provides:
- **Banner CVE scan** โ grabs banners on all open ports, matches against CVE database
- **ICS/SCADA exposure detection** โ flags 16 industrial protocols (Modbus, DNP3, BACnet, EtherNet/IP, OPC-UA, S7, FINS, etc.)
- **Unauthenticated service checks** โ Redis, Memcached, MQTT probes
- **Non-standard port detection** โ SSH on 2222, HTTP on 8080, etc.
- **OS fingerprinting** โ TTL-based heuristic (Linux โค64, Windows โค128, Cisco โค255)
---
## GUI Screens
### Dashboard
Live statistics: total targets, active scans, critical findings, total findings. Quick-launch buttons for new scan and target management.
### Targets
Add individual IPs, CIDR ranges (`192.168.1.0/24`), or hyphen ranges (`192.168.1.1-50`). CSV import. Per-target status tracking.
### Scan
Profile selection (Quick / Standard / Deep), target subset selection, live log console with colour-coded severity, real-time progress bar with stage labels (Discovery โ Port Scan โ Fingerprint โ Vuln Scan โ Exploitation).
### Findings Viewer (Phase 3)
Four tabs matching the FSD severity model:
| Tab | Severities | Colour |
|-----|-----------|--------|
| Severe | Critical | Red `#FF4444` |
| Moderate | High, Medium | Orange `#FF8800` |
| Observations | Low | Blue `#00AAFF` |
| Warnings | Info | Amber `#FFAA00` |
Each tab: sortable table with severity badge, CVSS score, target IP, port, title, CVE ID, scan number, timestamp.
Click any finding to open the **detail panel**:
- Full description, PoC, mitigation, raw evidence (scrollable)
- **Learnings editor** โ editable notes saved to DB per finding
- **False Positive toggle** โ marks finding and removes it from counts
### Evidence Gallery (Phase 3)
Browse all captured evidence by project/scan. Type icons per evidence type (text, nmap XML, pcap, screenshots). Content preview panel with monospace viewer.
---
## Database Schema
| Table | Key Fields |
|-------|-----------|
| `projects` | id, name, description, created_at |
| `targets` | id, project_id, ip_address, hostname, device_type, vendor, os_name, open_ports_count, status |
| `scans` | id, project_id, profile, status, progress, current_stage, started_at, completed_at |
| `ports` | id, target_id, port_number, protocol, state, service, product, service_version, banner |
| `findings` | id, scan_id, target_id, port_id, title, description, severity, category, cvss_score, cve_id, proof_of_concept, mitigation, learnings, false_positive |
| `evidence` | id, finding_id, scan_id, file_type, file_path, description, content |
| `credentials` | id, target_id, finding_id, service, port, username, password, credential_type, validated |
Finding `severity`: `critical` / `high` / `medium` / `low` / `info`
Finding `category`: `severe` / `moderate` / `observations` / `warnings` (GUI tab mapping)
---
## Development Phases
| Phase | Status | Description |
|-------|--------|-------------|
| Phase 1 | โ
Complete | Backend core, SQLAlchemy ORM, SQLite DB, CLI |
| Phase 2 | โ
Complete | PyQt6 GUI foundation: Dashboard, Targets, Scan with live log |
| Phase 3 | โ
Complete | Findings Viewer (4 severity tabs), Evidence Gallery, Learnings editor |
| Phase 4 | โ
Complete | 9 exploit modules, CVE database, advanced scanner, ICS detection |
| Phase 5 | ๐ In Progress | PDF/HTML/Markdown/JSON report generation, polish, theming |
---
## Keyboard Shortcuts
| Shortcut | Action |
|----------|--------|
| `Ctrl+D` | Dashboard |
| `Ctrl+N` | Targets |
| `Ctrl+R` | Scan |
| `Ctrl+F` | Findings |
---
## Wordlists
`wordlists/default_credentials.json` โ 34 service credential pairs covering common IoT/router defaults (admin/admin, root/root, admin/1234, manufacturer defaults for Hikvision, Dahua, D-Link, TP-Link, etc.)
---
## Ethical Use
This framework includes offensive modules capable of:
- Executing commands on compromised systems
- Reading sensitive files (`/etc/shadow`, private keys)
- Writing to industrial control system registers
- Modifying firewall rules via UPnP
- Capturing authenticated RTSP camera streams
**These capabilities exist solely for authorised security assessments.** The GUI enforces a legal disclaimer on every launch. The `deep` scan profile that triggers exploit modules requires deliberate user selection.
Always obtain written authorisation before testing. Scope your targets precisely.
---
## Author
**Rahul** โ VU3RAZ
[github.com/VU3RAZ](https://github.com/VU3RAZ)