Ultimate Portable Security Audit Tool — Rootless Kali NetHunter on Android
Run full LAN reconnaissance and exploitation directly from your phone. All tools are patched for rootless operation (no raw sockets,
-sTTCP connect scans throughout).
| # | Script | Description |
|---|---|---|
| 1 | crackmap.sh |
SMB / RDP / WinRM null-session enumeration via crackmapexec |
| 2 | fscan.sh |
Fast internal network scanner (fscan binary) |
| 3 | nmap.sh |
Nmap service/version scan (-sT rootless) |
| 4 | auto_ingram.sh |
Webcam auto-exploit (Ingram) |
| 5 | rtsp_brute_open.sh |
RTSP stream brute-force |
| 6 | nuclei.sh |
Vulnerability scan (Nuclei templates) |
| 7 | autorecon.sh |
Ping sweep + AutoRecon (TCP only, rootless) |
| 8 | web.sh |
Web recon — whatweb / nikto / gobuster / feroxbuster |
| 9 | iot.sh |
IoT / SCADA / Camera device discovery (see below) |
Full-featured LAN recon engine for industrial, IoT, and IP camera devices.
Interface picker → Triage pre-scan (12 ports, fast preview)
→ Full nmap (-sT, all IoT/SCADA ports)
→ Parallel protocol probes
→ Device classification
→ RTSP brute-force (cameras)
→ Per-type action submenus
→ Report saved to results/
| Protocol | Port | What it checks |
|---|---|---|
| Modbus/TCP | 502 | Device ID (FC43), holding registers (FC3), coils (FC1) — unauthenticated |
| Siemens S7 | 102 | COTP + S7 communication setup |
| EtherNet/IP | 44818 | CIP List Identity |
| IEC 60870-5-104 | 2404 | STARTDT handshake |
| DNP3 | 20000 | Link-layer frame |
| BACnet/IP | 47808 | Who-Is broadcast |
| OPC-UA | 4840 | Hello message |
| MQTT | 1883/8883 | CONNECT + open broker check |
| MQTT capture | 1883 | Subscribe to #, capture live messages for 10s |
| RTSP | 554/8554 | DESCRIBE (anon + credential brute-force) |
| ONVIF | 80/8080 | GetDeviceInformation |
| HTTP fingerprint | 80/443/8080 | Hikvision ISAPI, Dahua, Axis, Siemens, Schneider |
| HTTP Basic auth | 80/443/8080 | 16 default credential pairs |
| SMB | 445 | SMB2/3 negotiate, signing mode |
| SSH | 22 | Banner + key exchange |
| SNMP | 161/UDP | sysDescr / sysName / sysLocation |
| FTP | 21 | Anonymous login attempt |
| Telnet | 23 | 10 common credential pairs |
| UPnP/SSDP | 1900/UDP | Device description |
| CoAP | 5683/UDP | GET /.well-known/core |
Two-tier system — no false positives from vendor name alone:
- Tier 1 (definitive): RTSP port open, RTSP/ONVIF probe succeeded, or HTTP fingerprint matched a camera vendor →
Camera/CCTV - Tier 2 (scored): ambiguous ports + vendor/probe evidence → highest score wins (
SCADA/ICS/IoT/Camera/CCTV) - Guard: vendor keyword alone (with only generic ports 22/80/443) is NOT enough to classify as Camera
Camera/CCTV:
- RTSP credential brute-force (routes.txt + 17 credential pairs)
- Print all open ports + probe details
- Dump Hikvision/Dahua/Axis device info via HTTP
- HTTP Basic auth default credential check
SCADA/ICS:
- Re-run all protocol probes live
- Print full probe results
- SNMP walk (public / private / admin / read communities)
IoT:
- MQTT broker check + capture live messages (10s, saves to report)
- UPnP / SSDP device info
- Print full probe results
- FTP anonymous login + Telnet credential check
Windows/SMB (any device with port 445):
- Null session — list shares
- Null session — full enum (users/groups/RID brute)
- MS17-010 (EternalBlue) check
- All three in sequence
| Option | Flags | Recommended for |
|---|---|---|
| 1 — Quick | --no-udp --no-screenshots |
Rootless Android (always pick this) |
| 2 — Full | TCP + UDP + screenshots | Root only |
| 3 — Custom | manual flags | Advanced use |
Always choose option 1 on rootless NetHunter. UDP scans and SYN scans require raw sockets that Android blocks without root.
# Core tools
pkg install -y git python python-pip nmap golang curl wget
# Python dependencies for IoT scanner
pip install -r requirements.txt
# crackmapexec
pip install crackmapexec
# AutoRecon (rootless patch — remove osscan, add -sT)
pip install git+https://github.com/Tib3rius/AutoRecon.git
# Then edit: ~/.local/share/AutoRecon/plugins/
# Remove any -O / --osscan flags and add -sT to all nmap plugin configs
# fscan (fast scanner binary)
git clone https://github.com/shadow1ng/fscan.git
cd fscan && go build && mv fscan /usr/local/bin/ && cd ..
# Ingram (webcam exploit)
git clone https://github.com/jorhelp/Ingram.git
# Optional web recon tools
apt install -y whatweb nikto gobuster feroxbusterpip install -r requirements.txt
# or manually:
pip install python-nmap # required
pip install scapy # optional: ARP scan (root only)
pip install netifaces # optional: better gateway detectionbash start.shAll scripts auto-detect your network interface. Output is saved to results/YYYY-MM-DD_HH-MM-SS/.
# Auto-detect network
python3 recon_iot_scada.py
# Specific target
python3 recon_iot_scada.py 192.168.1.0/24
# Rootless quick mode (no UDP, no screenshots)
python3 recon_iot_scada.py 192.168.1.0/24 --no-udp --no-screenshots
# Custom output file
python3 recon_iot_scada.py 192.168.1.0/24 --output /sdcard/scan.txt| Flag | Default | Description |
|---|---|---|
network |
auto-detect | Target CIDR (e.g. 192.168.1.0/24) |
--output |
auto-named | Output report file path |
--workers |
20 | Parallel device scans |
--probe-workers |
5 | Parallel probes per device |
--oui-file |
oui.txt |
IEEE OUI vendor database |
--no-udp / -nU |
off | Skip UDP scanning (faster, rootless-safe) |
--no-screenshots |
off | Disable headless browser screenshots |
Every scan saves a structured report:
results/
└── 2025-05-21_14-30-00/
├── iot_scada.txt # Full device report (from iot.sh)
├── nmap.txt
├── whatweb.txt
├── nikto.txt
└── ...
The IoT report includes: device summary table, per-device port/probe/classification details, RTSP brute-force results, MQTT captured messages, and found credentials.
Running without root means:
- No ARP scanning — host discovery uses nmap TCP ping (
-sn) - No SYN scan (
-sS) — TCP connect scan (-sT) is used instead - No OS fingerprinting —
-Oflag is skipped - MAC addresses unavailable — OUI vendor lookup shows
Unknown - UDP scanning still attempted but may be unreliable
All protocol probes (Modbus, S7, RTSP, MQTT, SMB, HTTP, FTP, Telnet, etc.) work fully rootless since they use standard TCP/UDP socket connections.