OWASP Nettacker is a free, open-source tool designed for network scanning, information gathering, and basic vulnerability assessment. Built and maintained by the OWASP community, Nettacker helps security pros automate common tasks like port scanning, service detection, and brute-force attacks. It offers a controlled and extensible framework for running these tests.

What it does

Nettacker scans networks to find weaknesses. It maps out live hosts, open ports, services, and basic misconfigurations. It can also run some attacks, such as testing for default credentials or brute-forcing hidden directories.

Rather than being a traditional vulnerability scanner, Nettacker works more like a modular recon tool. It’s flexible, fast, and scriptable. Users can combine modules and customize how scans run. Results can be saved in different formats, including HTML and JSON.

“Nettacker has a built-in database, which stores all previous scan results, making them searchable and exportable. It also includes a scan comparison feature that allows you to measure the ‘drift,’ or the difference between a baseline scan and the latest scan. This can be used to detect new open ports, new hosts or subdomains appearing on the network, new vulnerabilities, etc. This works nicely for automation, for example in CI/CD pipelines,” Sam Stepanyan, OWASP London Chapter Leader, told Help Net Security.

Key features

• Modular design: Each scan type uses its own module. This includes port scanners, directory scanners, subdomain finders, and authentication testers.
• Multithreading: Nettacker can run multiple tasks at once, which makes it fast, even when scanning large IP ranges.
• Customizable output: Results can be exported to various formats. This makes it easier to use Nettacker as part of a larger toolchain or reporting process.
• API access: Nettacker includes a built-in REST API and web interface. This allows remote use or integration with other systems.
• Basic evasion features: It supports techniques to avoid simple detection by firewalls and intrusion detection systems, such as random delays, proxy support, and changing user agents.

Future plans and download

“We are working on releasing the next version, 0.4.1, very soon, which will include the new custom wordlist feature and several new modules. Future plans include improvements in performance and multi-threading, an improved WebUI (including the introduction of a dashboard), a workflow feature, and integrations with other tools,” Stepanyan explained.

Nettacker is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!