Share
## https://sploitus.com/exploit?id=F85DF6D6-7FA7-562F-8374-0F95AD25FA2F
# Lanflux
**On-LAN recon and exploitation after wireless foothold** β sibling to [Wiflux](https://github.com/Leadrogue/Wiflux).
```
βββ ββββββ ββββ ββββββββββββββ βββ ββββββ βββ
βββ βββββββββββββ ββββββββββββββ βββ βββββββββββ
βββ ββββββββββββββ βββββββββ βββ βββ βββ ββββββ
βββ ββββββββββββββββββββββββ βββ βββ βββ ββββββ
βββββββββββ ββββββ βββββββββ βββββββββββββββββββββ βββ
βββββββββββ ββββββ ββββββββ ββββββββ βββββββ βββ βββ
```
> **For authorized security testing only.** Only use Lanflux on networks you own or have explicit permission to audit.
[](https://www.python.org/downloads/)
[](LICENSE)
[](https://github.com/Leadrogue/Lanflux/releases/latest)
[](#requirements)
| Tool | Phase |
|------|--------|
| **[Wiflux](https://github.com/Leadrogue/Wiflux)** | Wireless access β scan, capture, crack |
| **Lanflux** | Post-assoc β discover, recon, engage, MITM on the LAN |
*From the air to the LAN.* Β· **v1.0.0**
---
## Features
### Guided workflow
- **Map β Recon β Attacks / MITM** β main menu steers you in a safe order (recon before noisy work)
- **Live Rich UI** β discover table, ETA bars, activity feed, identity cards
- **Keyboard control** β **Enter** finishes discover/profile early β menu; **Space** pauses (copy) or skips a module
- **Engagement profiles** β `home` | `office` | `lab` set timeouts, smart-engage, MITM default, spray (CLI flags override only when set)
- **Session resume** β `--resume` reloads hosts from SQLite; identity + traffic hints persist
### Discovery & identity
- **ARP + neighbor + optional ping sweep** β fast LAN map with honest ETAs
- **Progressive port/OS profile** β light nmap while mapping; wrap-up can be skipped with Enter
- **Who is this?** β identity fusion (OUI vendor + hostname + mDNS + ports β e.g. βTommyβs iPhone (likely)β)
- **Traffic hints** β pre-scan `ip neigh` states for MITM client ranking (`live` / `recent` / `quiet`)
- **Host scoring & roles** β gateway, DC, fileserver, IoT, workstation, β¦
### Soft recon & smart engage
- **Soft recon chain** β `dns-enum β port-scan β smb-enum β http-enum`
- **Smart engage** β after soft recon, deep tools planned from *real* open ports (whatweb, http-paths, http-defaults, smb-deep, ssh-check, snmp-check, iot-pack, ad-enum, pivot-map, gain-access, β¦)
- **Auto mode** β `--auto` maps + soft+deep engage non-interactively; lab/spray also runs starred attack tools
- **Host-aware toolkit** β recommendations ranked by role/ports/risk; missing binaries show install hints
### Modules (highlights)
| Category | Examples |
|----------|----------|
| Recon | dns-enum, port-scan, smb-enum/deep, http-enum/paths, whatweb, tls-inspect, nikto, nuclei, ffuf-short, mdns-upnp, udp-probe, ad-enum |
| Attack | http-defaults, ssh-check, snmp-check, gain-access, cred-spray, iot-pack, responder |
| MITM | arp / sniff / forms / keylog / dns (toolkit time-boxed or live mission sessions) |
### MITM (honest capabilities)
| Mode | Bandwidth | What you get |
|------|-----------|--------------|
| **Sites** | Best | DNS/SNI hostnames; half-duplex ARP |
| **Forms** | Good | Cleartext HTTP login POSTs |
| **Keylog** | Heavier | JS inject on HTTP + KEY lines + forms |
| **DNS** | Varies | Name poison path (noisy) |
- **HTTPS app passwords are not readable** without SSL-bump (not implemented β by design)
- **Half-duplex WiβFi friendly** tuning (forward path, rp_filter, restore on exit)
- **Lifecycle cleanup** β orphan process kill, atexit / Ctrl+C emergency stop
- **Attention stream** β live sites/forms story at end of session
### Results, vault & reporting
- **SQLite store** β hosts, findings (deduped), credentials under `~/lanflux-data` (mode `0700` / files `0600`)
- **Credential vault** β `--vault` browser; optional at-rest encryption via `LANFLUX_VAULT_PASSWORD`
- **Exports** β JSON/CSV; secrets redacted unless `--include-secrets`
- **PDF reports** β honest severity (no false βdefault loginβ claims)
- **Run compare** β `--snapshot` / `--compare` for host/port diffs
- **Webhooks** β `--webhook URL` for critical findings (Discord/Slack-friendly)
- **Scope lock** β `scope.lock.json` gates noisy MITM ops
- **Wiflux handoff** β `--from-wiflux` shows cracked PSKs / SSID match
---
## Quick start
### Install from source (recommended)
```bash
git clone https://github.com/Leadrogue/Lanflux.git
cd Lanflux
pip install -e . --break-system-packages
# Core system tools
sudo apt update
sudo apt install -y arp-scan nmap smbclient curl iproute2 iputils-ping
# Optional packs (or use the built-in installer)
sudo apt install -y bettercap dsniff tcpdump tshark # MITM
# or:
sudo lanflux --install-deps mitm,web,smb --install-deps-run
```
Full walkthrough: **[INSTALL.md](INSTALL.md)** Β· Step-by-step ops: **[docs/TUTORIAL.md](docs/TUTORIAL.md)**
### Run
On Kali/Debian, `sudo` may omit `/usr/local/bin` from `PATH`:
```bash
sudo env PATH="/usr/local/bin:$PATH" lanflux --no-splash
# Auto map + engage (lab profile: smart deep + spray-oriented)
sudo env PATH="/usr/local/bin:$PATH" lanflux --profile lab --auto -p 20 --no-splash
# Resume previous hosts
sudo env PATH="/usr/local/bin:$PATH" lanflux --resume --no-splash
```
### Typical interactive path
1. **Map the LAN** (menu β
1) β Enter finishes early β menu
2. **Deep recon** (client or subnet) β soft recon then tool menu
3. **Attacks** β defaults, gain-access, spray (after recon)
4. **MITM** if needed β pick client / mode; Enter or Space stops live session
5. **Report & vault** β PDF, export, compare
---
## Documentation
| Document | Description |
|----------|-------------|
| **[INSTALL.md](INSTALL.md)** | Requirements, install methods, dependency packs, troubleshooting |
| **[docs/TUTORIAL.md](docs/TUTORIAL.md)** | End-to-end authorized engagement walkthrough |
| **[docs/ARCHITECTURE.md](docs/ARCHITECTURE.md)** | Package layout and engagement flow |
| **[docs/MITM.md](docs/MITM.md)** | Capture modes, teardown, scope lock |
| **[docs/LEGAL.md](docs/LEGAL.md)** | Authorization and responsibility |
| **[CHANGELOG.md](CHANGELOG.md)** | Version history |
---
## Usage examples
```bash
lanflux --help
# Interactive guided menu
sudo lanflux --no-splash
# Bound to a subnet + office profile (quieter defaults)
sudo lanflux --profile office --scope 192.168.1.0/24 --auto --no-splash
# Soft recon only (no deep chain)
sudo lanflux --no-smart-engage --recon-only --auto --no-splash
# After Wiflux association
sudo lanflux --from-wiflux --no-splash
# Scope lock before noisy MITM
lanflux --scope-init 192.168.8.0/24 --scope-note "authorized pentest"
# Vault / export / compare (no root required)
lanflux --vault
lanflux --export-creds ~/lanflux-data/creds.json --include-secrets
lanflux --findings
lanflux --hosts
lanflux --compare
# Optional vault encryption for newly saved secrets
export LANFLUX_VAULT_PASSWORD='choose-a-strong-passphrase'
sudo lanflux --vault-password "$LANFLUX_VAULT_PASSWORD" --no-splash
```
### Keyboard
| Key | Discover / profile | MITM / toolkit module |
|-----|--------------------|------------------------|
| **Enter** | Finish early β menu | Stop live MITM / long tool |
| **Space** | Pause table (copy) / resume | Skip module |
| **Ctrl+C** | Emergency MITM stop + clean exit | Same |
| **q** (discover) | Same as Enter (fallback) | β |
---
## Engagement profiles
| Profile | Discover | Ports | Smart deep | Spray | MITM default | Module timeout |
|---------|----------|-------|------------|-------|--------------|----------------|
| **home** | 25s | quick | yes | no | forms | 45s |
| **office** | 40s | top100 | yes | no | sites | 60s |
| **lab** | 30s | quick | yes | yes | keylog | 90s |
Pass `-p`, `--ports`, or `--module-timeout` only when you want to override the profile.
---
## Layout
```
lanflux/
cli.py entry + flags + utility commands
session.py guided / auto session loop
discover.py live host discovery
profiler.py mass port/OS profile
orchestrator.py soft recon + smart deep engage
registry.py module registry
recommend.py host-aware toolkit menu
toolkit.py interactive + starred batch runner
mission.py live MITM sessions
mitm_engine.py shared MITM surface
mitm_lifecycle.py process cleanup / emergency stop
report.py PDF reports
results.py SQLite (WAL)
vault.py credential vault
crypto_vault.py optional secret encryption
scope.py scope lock
modules/ engagement modules
tools/ network + nmap helpers
```
Data defaults to **`~/lanflux-data/`** (not inside the package tree).
---
## Requirements
- **Linux** (Kali / Debian / Ubuntu recommended)
- **Python 3.10+**
- **Root** for full discover / MITM (`sudo`)
- Core tools: `arp-scan`, `nmap`, `ip`, `ping` (see [INSTALL.md](INSTALL.md))
---
## Development
```bash
git clone https://github.com/Leadrogue/Lanflux.git
cd Lanflux
pip install -e ".[dev]" --break-system-packages
pytest -q
```
---
## Legal
This tool is for educational and **authorized** penetration testing only. Unauthorized access to computer networks is illegal. The authors are not responsible for misuse. See [docs/LEGAL.md](docs/LEGAL.md).
---
## Related
- **[Wiflux](https://github.com/Leadrogue/Wiflux)** β wireless access, capture, and crack
- Issues & releases: [github.com/Leadrogue/Lanflux](https://github.com/Leadrogue/Lanflux)
## License
[MIT](LICENSE) Β· Β© Leadrogue