Open ports are open doors. Here's how I built a tool that finds them, scores the risk, and maps every finding to MITRE ATT&CK with zero external dependencies.
The Problem
Every network has blind spots.
Firewall rules get misconfigured. Services get spun up and forgotten. A developer opens port 3389 for "just a quick test" and never closes it. Six months later, a ransomware group finds it.
The scary part? These exposures are trivially easy to find if you know where to look.
So I built a tool that looks.
What the Tool Does
The Network Scanner & Vulnerability Reporter is a Python-based tool that:
Scans a target IP or entire CIDR range for open ports
Identifies what service is running on each port
Checks each service against a built-in vulnerability database
Maps every finding to a MITRE ATT&CK technique
Calculates an overall risk score from 0–100
Generates a full report with remediation guidance
Exports JSON for SIEM or ticketing system integration
Zero external dependencies. Pure Python standard library only.
Why I Built It This Way
Most vulnerability scanners are black boxes. You run Nessus, get a PDF, and hand it to someone else to interpret.
I wanted to understand what's actually happening under the hood what a scanner is really asking, what the responses mean, and how to turn raw port data into something actionable.
This tool is my answer to that question.
The Technical Architecture
Port Scanning — Multithreaded TCP
The scanner uses socket and concurrent.futures.ThreadPoolExecutor to send TCP connection attempts across 29 common ports simultaneously. Multithreading keeps the scan fast even on full CIDR ranges.
pythonwith ThreadPoolExecutor(max_workers=50) as executor:
futures = {executor.submit(scan_port, ip, port): port for port in ports}
Each connection either succeeds (port open) or times out (closed/filtered). No raw packets, no root required.
**Service Identification**
Open ports get mapped to known service names via a static dictionary — port 22 becomes SSH, port 445 becomes SMB, port 3389 becomes RDP, and so on across 29 services.
**Vulnerability Matching**
Each identified service is checked against a built-in vulnerability database. This isn't CVE scanning it's risk pattern matching. Port 23 open? That's Telnet — cleartext protocol, CRITICAL risk. Port 27017 open? That's MongoDB — likely unauthenticated access.
The database covers the services that actually show up in breach reports: SMB (EternalBlue), RDP (ransomware entry), Redis (no-auth data exposure), Elasticsearch (unauthenticated access), and more.
**MITRE ATT&CK Mapping**
Every vulnerability finding gets tagged with the relevant ATT&CK technique:
- RDP exposed → T1076 (Remote Desktop Protocol)
- SMB exposed → T1210 (Exploitation of Remote Services)
- Telnet open → T1040 (Network Sniffing)
This transforms raw scan output into adversary-aligned intelligence — exactly the framing a SOC or threat intel team needs.
**Risk Scoring**
The tool calculates a composite risk score 0–100 based on the severity and count of findings:
| Score | Rating |
|-------|--------|
| 70–100 | 🔴 CRITICAL |
| 45–69 | 🟠 HIGH |
| 20–44 | 🟡 MEDIUM |
| 0–19 | 🟢 LOW |
**Sample Output**
=================================================================
NETWORK SCANNER & VULNERABILITY REPORTER
Target : 192.168.1.1
Open Ports : 4 | Vulnerabilities: 6
Risk Score : 85/100 [██████████████████████████████████░░░░░░]
Rating : 🔴 CRITICAL RISK
⚠️ VULNERABILITIES (6)
[CRITICAL] RDP Exposed to Internet (Port 3389)
MITRE ATT&CK : T1076 — Remote Desktop Protocol
Remediation : Restrict RDP to VPN only, enable NLA, use MFA
[CRITICAL] SMB Port Exposed (Port 445)
MITRE ATT&CK : T1210 — Exploitation of Remote Services
Remediation : Block SMB at firewall, apply MS17-010 patch
Real-World Relevance
This maps directly to what security teams actually do:
Attack surface mapping — finding exposed services before attackers do is the first step in any vulnerability management program.
Risk prioritization — not every open port is equal. This tool scores and ranks so the most dangerous exposures get fixed first.
SIEM integration — the JSON export can feed directly into Splunk, Elastic, or any ticketing system like ServiceNow.
Compliance support — regular network scans are a control requirement under NIST CSF, CIS Controls, and ISO 27001. This tool produces the evidence.
What I Learned
Building this taught me things no certification course covers:
Multithreading changes everything. A single-threaded scanner on a /24 range would take minutes. With 50 concurrent threads, it's seconds. Understanding thread pool sizing and timeout tuning is a real skill.
The vulnerability database is the hardest part. Writing port-scanning logic is straightforward. Deciding which services are risky, why, and how to explain it to a non-technical stakeholder — that's the GRC thinking that makes a security tool actually useful.
MITRE ATT&CK is a communication framework. Mapping findings to ATT&CK techniques isn't just for show. It lets you speak the same language as threat intel teams, red teams, and incident responders. A finding labeled "T1210 — Exploitation of Remote Services" means something specific and actionable to anyone in the security space.
Try It Yourself
bashgit clone https://github.com/SankethSubhas/network-scanner-vulnerability-reporter.git
cd network-scanner-vulnerability-reporter
Scan a single host (use scanme.nmap.org for legal testing)
python3 network_scanner.py scanme.nmap.org
Scan a network range
python3 network_scanner.py 192.168.1.0/24
Export JSON report
python3 network_scanner.py 192.168.1.1 --output report.json
Only scan systems you own or have explicit written permission to test.
Links
🔗 GitHub: network-scanner-vulnerability-reporter
🌐 Portfolio: sankethsubhas.pages.dev
💼 LinkedIn: linkedin.com/in/sanketh-subhas
Top comments (0)