F-Security

Ultimate Portable Security Audit Tool — Rootless Kali NetHunter on Android

Run full LAN reconnaissance and exploitation directly from your phone. All tools are patched for rootless operation (no raw sockets, -sT TCP connect scans throughout).

---

Tools in the menu

#	Script	Description
1	crackmap.sh	SMB / RDP / WinRM null-session enumeration via crackmapexec
2	fscan.sh	Fast internal network scanner (fscan binary)
3	nmap.sh	Nmap service/version scan (-sT rootless)
4	auto_ingram.sh	Webcam auto-exploit (Ingram)
5	rtsp_brute_open.sh	RTSP stream brute-force
6	nuclei.sh	Vulnerability scan (Nuclei templates)
7	autorecon.sh	Ping sweep + AutoRecon (TCP only, rootless)
8	web.sh	Web recon — whatweb / nikto / gobuster / feroxbuster
9	iot.sh	IoT / SCADA / Camera device discovery (see below)

---

IoT / SCADA Scanner (iot.sh → recon_iot_scada.py)

Full-featured LAN recon engine for industrial, IoT, and IP camera devices.

Scan flow

Interface picker  →  Triage pre-scan (12 ports, fast preview)
  →  Full nmap (-sT, all IoT/SCADA ports)
  →  Parallel protocol probes
  →  Device classification
  →  RTSP brute-force (cameras)
  →  Per-type action submenus
  →  Report saved to results/

Protocol probes

Protocol	Port	What it checks
Modbus/TCP	502	Device ID (FC43), holding registers (FC3), coils (FC1) — unauthenticated
Siemens S7	102	COTP + S7 communication setup
EtherNet/IP	44818	CIP List Identity
IEC 60870-5-104	2404	STARTDT handshake
DNP3	20000	Link-layer frame
BACnet/IP	47808	Who-Is broadcast
OPC-UA	4840	Hello message
MQTT	1883/8883	CONNECT + open broker check
MQTT capture	1883	Subscribe to #, capture live messages for 10s
RTSP	554/8554	DESCRIBE (anon + credential brute-force)
ONVIF	80/8080	GetDeviceInformation
HTTP fingerprint	80/443/8080	Hikvision ISAPI, Dahua, Axis, Siemens, Schneider
HTTP Basic auth	80/443/8080	16 default credential pairs
SMB	445	SMB2/3 negotiate, signing mode
SSH	22	Banner + key exchange
SNMP	161/UDP	sysDescr / sysName / sysLocation
FTP	21	Anonymous login attempt
Telnet	23	10 common credential pairs
UPnP/SSDP	1900/UDP	Device description
CoAP	5683/UDP	GET /.well-known/core

Device classification

Two-tier system — no false positives from vendor name alone:

• Tier 1 (definitive): RTSP port open, RTSP/ONVIF probe succeeded, or HTTP fingerprint matched a camera vendor → Camera/CCTV
• Tier 2 (scored): ambiguous ports + vendor/probe evidence → highest score wins (SCADA/ICS / IoT / Camera/CCTV)
• Guard: vendor keyword alone (with only generic ports 22/80/443) is NOT enough to classify as Camera

Action submenus (after scan)

Camera/CCTV:

1. RTSP credential brute-force (routes.txt + 17 credential pairs)
2. Print all open ports + probe details
3. Dump Hikvision/Dahua/Axis device info via HTTP
4. HTTP Basic auth default credential check

SCADA/ICS:

1. Re-run all protocol probes live
2. Print full probe results
3. SNMP walk (public / private / admin / read communities)

IoT:

1. MQTT broker check + capture live messages (10s, saves to report)
2. UPnP / SSDP device info
3. Print full probe results
4. FTP anonymous login + Telnet credential check

Windows/SMB (any device with port 445):

1. Null session — list shares
2. Null session — full enum (users/groups/RID brute)
3. MS17-010 (EternalBlue) check
4. All three in sequence

Scan mode (choose in iot.sh)

Option	Flags	Recommended for
1 — Quick	--no-udp --no-screenshots	Rootless Android (always pick this)
2 — Full	TCP + UDP + screenshots	Root only
3 — Custom	manual flags	Advanced use

Always choose option 1 on rootless NetHunter. UDP scans and SYN scans require raw sockets that Android blocks without root.

---

Installation

Termux / Kali NetHunter

# Core tools
pkg install -y git python python-pip nmap golang curl wget

# Python dependencies for IoT scanner
pip install -r requirements.txt

# crackmapexec
pip install crackmapexec

# AutoRecon (rootless patch — remove osscan, add -sT)
pip install git+https://github.com/Tib3rius/AutoRecon.git
# Then edit: ~/.local/share/AutoRecon/plugins/
# Remove any -O / --osscan flags and add -sT to all nmap plugin configs

# fscan (fast scanner binary)
git clone https://github.com/shadow1ng/fscan.git
cd fscan && go build && mv fscan /usr/local/bin/ && cd ..

# Ingram (webcam exploit)
git clone https://github.com/jorhelp/Ingram.git

# Optional web recon tools
apt install -y whatweb nikto gobuster feroxbuster

Python deps only

pip install -r requirements.txt
# or manually:
pip install python-nmap          # required
pip install scapy                # optional: ARP scan (root only)
pip install netifaces            # optional: better gateway detection

---

Usage

bash start.sh

All scripts auto-detect your network interface. Output is saved to results/YYYY-MM-DD_HH-MM-SS/.

Run IoT scanner directly

# Auto-detect network
python3 recon_iot_scada.py

# Specific target
python3 recon_iot_scada.py 192.168.1.0/24

# Rootless quick mode (no UDP, no screenshots)
python3 recon_iot_scada.py 192.168.1.0/24 --no-udp --no-screenshots

# Custom output file
python3 recon_iot_scada.py 192.168.1.0/24 --output /sdcard/scan.txt

CLI options

Flag	Default	Description
network	auto-detect	Target CIDR (e.g. 192.168.1.0/24)
--output	auto-named	Output report file path
--workers	20	Parallel device scans
--probe-workers	5	Parallel probes per device
--oui-file	oui.txt	IEEE OUI vendor database
--no-udp / -nU	off	Skip UDP scanning (faster, rootless-safe)
--no-screenshots	off	Disable headless browser screenshots

---

Output

Every scan saves a structured report:

results/
└── 2025-05-21_14-30-00/
    ├── iot_scada.txt      # Full device report (from iot.sh)
    ├── nmap.txt
    ├── whatweb.txt
    ├── nikto.txt
    └── ...

The IoT report includes: device summary table, per-device port/probe/classification details, RTSP brute-force results, MQTT captured messages, and found credentials.

---

Rootless notes

Running without root means:

• No ARP scanning — host discovery uses nmap TCP ping (-sn)
• No SYN scan (-sS) — TCP connect scan (-sT) is used instead
• No OS fingerprinting — -O flag is skipped
• MAC addresses unavailable — OUI vendor lookup shows Unknown
• UDP scanning still attempted but may be unreliable

All protocol probes (Modbus, S7, RTSP, MQTT, SMB, HTTP, FTP, Telnet, etc.) work fully rootless since they use standard TCP/UDP socket connections.