{"id":16583917,"url":"https://github.com/jackorcherton/pyspy","last_synced_at":"2025-10-26T14:42:38.253Z","repository":{"id":131078646,"uuid":"248965778","full_name":"jackorcherton/PySpy","owner":"jackorcherton","description":"Network Enumeration","archived":false,"fork":false,"pushed_at":"2020-03-21T11:54:11.000Z","size":612,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-16T14:51:49.404Z","etag":null,"topics":["network-enumeration"],"latest_commit_sha":null,"homepage":"http://pyspy.jordanclark.uk/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jackorcherton.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-21T11:52:55.000Z","updated_at":"2020-12-11T19:05:56.000Z","dependencies_parsed_at":"2023-06-26T02:04:32.450Z","dependency_job_id":null,"html_url":"https://github.com/jackorcherton/PySpy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackorcherton%2FPySpy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackorcherton%2FPySpy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackorcherton%2FPySpy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackorcherton%2FPySpy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jackorcherton","download_url":"https://codeload.github.com/jackorcherton/PySpy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242144582,"owners_count":20078970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["network-enumeration"],"created_at":"2024-10-11T22:43:31.757Z","updated_at":"2025-10-26T14:42:38.189Z","avatar_url":"https://github.com/jackorcherton.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"Welcome to PySpy\n---------\nThis is the main project - all the python files are dependancies which are imported into PySpy - so to run the program click on PySpy. The aim of this project is that it will create a simple network enumeration device - that will run on a Beagle Bone Black (running a Debian based Linux distro).\nThis should also work on the Raspberry Pi \u0026 other debian-based Linux Distrabutios.\nAs well as this we have setup a reverse SSH server - so that the BBB will respond from anywhere with an internet connection - however, you will need a server with a static IP or a service like dyn-dns/no-ip \u0026 port forwarding.\nBelow lists the main features so far, \u0026 reasoning behind them:\n\nARP Scan\n---------\nThe ARP scan was the first project completed (by Jack Orcherton).\nThe main features of this tool are:\n1. IP Discovery - Finds Your Current IP Address \u0026 the Subnet you are on.\n   - Saves human's having to enter and find out IP info - removes chance of person typing it wrong (human error)\n   - Helps automate the project more\n   - Done by pinging Google DNS, then inspecting the packet recieved for your IP address (tried originally to try and find this information from the host - but would only return loopback address) - this feature will only work with an external internet connection.\n    - If IP discovery fails - it will prompt you to enter your IP\n2. Scan the subnet of the network you are on.\n    - This is done via ARP scanning\n    - Chosen over ping sweep as some devices are able to ignore ICMP requests (e.g. if the device is in promiscious mode) - whereas they are unable to ignore ARP requests\n3. Display results in a table - works out the IP address, MAC address \u0026 the device creator.\n    - Helps to find the layout of the network \u0026 what devices are used.\n5. Save results to a database.\n    - Helps towards automation - results can be saved \u0026 accessed at a later date\n6. Each time it is run the database is updated/new entries are added.\n    - Helps towards automation - overtime results can be used to work out what IP's the dhcp server gives out and build a picture of the network overtime\n\nARP Spoofing\n---------\nThird Project by Jack Orcherton\nARP spoofing is a type of man-in-the-middle attack, which if successful means that the target system will send all the data to the attacker \u0026 the default gateway (typically a router) will send all the data destined for the target to the attacker.\nThe point of this is that in corporate networks switches are used \u0026 will typically send the data directly to it's destination - meaning that other devices on the network cannot 'inspect' this traffic. With ARP spoofing, it will allow the attacker to just get the target system to send all the data to itself - therefore ignoring the switch problem.\nMain Features:\n1. Retrieve all previosly seen devices \u0026 allow the user to set the target \u0026 default gateway\n2. ARP Spoof\n\nMAC Address Finder\n---------\nProject by Jack Orcherton\nThis allows the user to find who made the device, when given the MAC address. This can then be used to target exploits related to that manufacturer. For example if you saw a Cisco device you could try using the CVE-2019-12669 vulnerability.\nA disadvantage to this project is that some operating systems implement MAC address randomisation - the downside to this is that it could lead to false positives in results. Example of OS's that support this:\n1. Windows - not turned on by default\n2. Android - turned on by default from version 10\n3. iOS - turned on by default from version 8\n4. OSx - not possible\n\nNB: server's generally don't change MAC addresses - as the MAC is used for DHCP IP reservations.\n\nNetwork Sniffer\n---------\nProject by Jack Orcherton \u0026 Mamadu Djalo\nUsed to capture network traffic - this can be useful for information when it is sent in plain text. Currently supports the following protocols:\n1. DNS\n   - Able to view all DNS queries \u0026 responses (therefore we can track websites visited by each client)\n   - DNS is historically sent unencrypted - however efforts have been made to use encrypted versions, which we can't intercept - like DNS-over-HTTPS \u0026 DNS-over-TLS - this is a relatively new concept - the follow browsers support it:\n\t- Chrome - No support (under-development)\n   \t- Firefox - Full Support -enabled by default in US (have to manually enable it everywhere else)\n   \t- Edge/Explorer - No support (under-development for Edge)\n2. HTTP\n   - Able to view any HTTP connection\n   - Can view post requests - so able to intercept user names and passwords sent in clear text\n   \n All results are saved in a database for automation purposes.\n NB - will only work with ARP spoofing on modern switch networks - otherwise will work fine on WiFi \u0026 hub based networks.\n Mamadu is currently looking at supporting additional protocals\n \n Reverse SSH\n ---------\n Project by Jack Orcherton (BeagleBone \u0026 SSH setup) \u0026 Jordan (Microsoft Azure Server \u0026 Static IP setup)\n As we do not know which IP will be assigned to the BeagleBone, we have setup a reverse shell for the BBB. As well as this, most firewalls will block incomming SSH traffic by default. This will allow us to be able to control the BBB from anywhere.\n \n File Server\n ---------\n Project by Jack Orcherton. As the above program saves the results from the ARP scan \u0026 packet sniffer to the database - we needed a means to transfer the database from the Beaglebone to the Ubuntu Server. To do this, I thought of the following ways:\n 1. SCP - a command that can be used for retrieving files through SSH.\n 2. FTP - a protocol specifically designed for transfering files\n 3. HTTP - protocol for sending webpages over the internet - but can also be used to transfer files.\n \n In the end, I decided to use HTTP this is because the other protocols aren't always seen on all networks \u0026 therefore may be picked up, or even blocked by network administrators, whereas everyone uses web traffic - therefore it looks less suspicious. To setup the server I decided to use the simpleHTTPserver module in Python - however, a downside to this is that by default it automatically displays and allows anyone to download the files in the directory it is running - I decided to remove this feature by uploading a web page over the top - https://error404coventry.hopto.org/. As well as this, the server will allow anyone to upload files (as we do not know what the IP of the BeagleBone will be. In order to minimise the risk of just anyone uploading a file, the file has to be called 'info.sqlite3' otherwise the file is rejected.\n \n A downside to HTTP, is that it is unencrypted - therefore if a network admin did inspect the individual HTTP packets, he would be able to view \u0026 reconstruct the data sent (and may be able to relise what we are doing) - therefore I decided to use HTTPS, the encrypted version of HTTP - so if someone looked at the packet - they cannot view the data inside.\n \n It has all been encrypted by using a signed TLS 1.3 certificate from the certificate agency letsencrypt.\n\nFinally, I have scheduled a crontab job that runs with root privlages (so that the server can bind to the HTTPS port 443) that will start the server automatically when Ubuntu is rebooted - using crontabs (type command sudo crontab -e, then enter '@reboot python3 /path/to/script.py. The database will be saved in the /root directory.\n\nDatabase Upload\n ---------\nProject by Jack Orcherton - simple python script that will upload the database to the file server - can be called anytime using the PySpy main program, and also set as a crontab job to run automatically @ 1am everyday. To setup - type crontab -e then add the following: 0 1 * * * python3 /path/to/script.py\nTo change this to upload it to your server, you need to change line 9 of dbUpload.py to your domain.\n\nTCP Scan\n---------\nProject by Jack Orcherton - a python script which will retrieve previous addresses found by the ARP scan, and will then prompt the user to select one. The program will then attempt to 'ping' the device. It will then ask the user whether they would like to scan in the following modes:\n1. TCP scan of the top 20 most frequently opened ports\n2. Scan of the well-known ports (1-1024)\n3. Custom Range Scan (any port between 1-65535)\nThe results will then be displayed to the end user \u0026 saved to the database\n\nI have chosen to use a TCP scan, instead of a stealth scan, as because the BBB will be on the companies network - traffic will be less likely to be suspected coming from an 'internal' network device. As well as this, this type of scan would be a lot quicker compared to a stealth scan.\n\nUDP Scan\n---------\nProject by Mark Finta - a python script which will retrieve previous addresses found by the ARP scan, and will then prompt the user to select one. The program will then attempt to 'ping' the device. It will then ask the user whether they would like to scan in the following modes:\n1. TCP scan of the top 20 most frequently opened ports\n2. Scan of the well-known ports (1-1024)\n3. Custom Range Scan (any port between 1-65535)\nThe results will then be displayed to the end user \u0026 saved to the database\n\nDependancies\n-------------------------\nPython 3.8+ (should work with any interpreter in the 3.x branch)\nPyShark (Type 'python3 -m pip install PyShark' - sometimes you need to remove the '3' - required for the packet capture on the BBB)\nServer/Static IP for the Web Server (for database sync)\nLet's Encrypt Free SSL Certificate (allows for HTTPS encrypted data transfer)\n\nLegal\n-------------------------\nPLEASE NOTE - this code is only for educational purposes - and does work on a network. Due to what these tools do, please do not run them on any network that you do not have permision too - we accept no liability.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjackorcherton%2Fpyspy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjackorcherton%2Fpyspy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjackorcherton%2Fpyspy/lists"}