Overview

What is PortPhantom?

A Python-based network recon tool for security professionals. Combines port scanning with intelligent service detection and automated CVE lookups to give you full network visibility during authorized assessments.

Key Features

  • Multiple scan types (SYN, Connect, ACK, FIN, RST)
  • Service version detection and banner grabbing
  • Multi-threaded scanning with configurable thread count
  • Automated CVE lookups via NVD API
  • Exportable reports (CSV, TXT)
  • Stealth scanning options to minimize detection

Demo

PortPhantom in Action

Scanning a test environment with service detection and vulnerability assessment enabled.

PortPhantom Scanner Output

Open services with version info and CVE matches from the National Vulnerability Database.

Technical Architecture

What Makes PortPhantom Different

Integrates vulnerability intelligence directly into the scanning workflow, going beyond what basic port scanners offer:

  • Automated CVE Lookup: Queries the NVD API to match detected service versions against known vulnerabilities
  • Banner Parsing: Extracts product names/versions from banners and maps them to CPE identifiers
  • CVSS Scoring: Severity ratings (CRITICAL/HIGH/MEDIUM/LOW) with remediation recommendations
  • Vendor/Product Mapping: Recognizes 35+ vendors (Apache, Nginx, MySQL, PostgreSQL, etc.) for accurate CVE matching
  • Dangerous Port Warnings: Alerts on sensitive ports — SMB (445), RDP (3389), Redis (6379), MongoDB (27017)
  • OS Fingerprinting: TTL-based detection and banner analysis
  • Interactive TUI: Rich terminal interface with real-time progress and color-coded results

Core Technologies

  • Scapy: Raw packet manipulation for SYN/ACK/FIN/RST scans
  • Socket: TCP connect scans and banner grabbing
  • Threading: Concurrent scanning with configurable thread counts
  • NVDLib: NIST NVD Python library for CVE queries
  • Rich: Terminal formatting with tables, progress bars, and color-coded output

Scan Types Supported

  • Connect (-sC): Full TCP handshake — most reliable, more detectable
  • SYN (-sS): Half-open stealth scan, requires root
  • ACK (-sA): Firewall rule mapping
  • FIN (-sF): FIN packets to evade basic IDS
  • RST (-sR): Reset-based firewall fingerprinting

Legal & Ethical Use

By downloading and using this software, you agree to:

  • Only scan networks and systems you own or have written authorization to test
  • Comply with all applicable laws in your jurisdiction
  • Accept full responsibility for your use of this tool

Provided for educational and authorized testing purposes only. The author disclaims all liability for misuse.