network-scanner

# Network Scanner

Discover and identify devices on local or remote networks using nmap. Gathers IP addresses, hostnames (via reverse DNS), MAC addresses, and vendor identification.

**Safety First:** Includes built-in protection against accidentally scanning public IP ranges or networks without proper private routing — preventing abuse reports from hosting providers.

## Requirements

- `nmap` - Network scanning (`apt install nmap` or `brew install nmap`)
- `dig` - DNS lookups (usually pre-installed)
- `sudo` access recommended for MAC address discovery

## Quick Start

```bash
# Auto-detect and scan current network
python3 scripts/scan.py

# Scan a specific CIDR
python3 scripts/scan.py 192.168.1.0/24

# Scan with custom DNS server for reverse lookups
python3 scripts/scan.py 192.168.1.0/24 --dns 192.168.1.1

# Output as JSON
python3 scripts/scan.py --json
```

## Configuration

Configure named networks in `~/.config/network-scanner/networks.json`:

```json
{
  "networks": {
    "home": {
      "cidr": "192.168.1.0/24",
      "dns": "192.168.1.1",
      "description": "Home Network"
    },
    "office": {
      "cidr": "10.0.0.0/24",
      "dns": "10.0.0.1",
      "description": "Office Network"
    }
  },
  "blocklist": [
    {
      "cidr": "10.99.0.0/24",
      "reason": "No private route from this host"
    }
  ]
}
```

Then scan by name:

```bash
python3 scripts/scan.py home
python3 scripts/scan.py office --json
```

## Safety Features

The scanner includes multiple safety checks to prevent accidental abuse:

1. **Blocklist** — Networks in the `blocklist` config array are always blocked
2. **Public IP check** — Scanning public (non-RFC1918) IP ranges is blocked
3. **Route verification** — For ad-hoc CIDRs, verifies the route uses private gateways

**Trusted networks** (configured in `networks.json`) skip route verification since you've explicitly approved them.

```bash
# Blocked - public IP range
$ python3 scripts/scan.py 8.8.8.0/24
❌ BLOCKED: Target 8.8.8.0/...