Detection of nmap intrusion attempts.
- 🔍 Real-time detection - Captures SYN scans as they happen
- 📊 Clear output - Human-readable alerts with timestamps
- 🎯 Multi-interface - Works on loopback, Ethernet, or WiFi
- 🛡️ Educational - Learn how Nmap stealth techniques work
- 🐍 Pure Python - Built with Scapy, no proprietary dependencies
# Clone the repository
git clone https://github.com/TLRKiliann/nmap-detector.git
# Go to the project folder
cd nmap-detector
# Create & activate virtual environment
python3 -m venv venv
source venv/bin/activate
# Update all versions
pip install -r requirements.txtIn Localhost
Terminal n°1
sudo nmap -sS -p 1-6000 -T3 127.0.0.1
Terminal n°2
sudo python3 nmap-detector.py
or if you get trouble with Linux:
sudo venv/bin/python nmap-detector.py
Choose the right sniff():
...
try:
# Linux
sniff(iface="lo", prn=detector.packet_callback, store=0) # loopback
#sniff(iface="eth0", prn=detector.packet_callback, store=0) # Ethernet
#sniff(iface="wlan0", prn=detector.packet_callback, store=0) # WiFi
# MacOS
#sniff(iface="lo0", prn=detector.packet_callback, store=0) # loopback
#sniff(iface="en0", prn=detector.packet_callback, store=0) # Ethernet
#sniff(iface="en1", prn=detector.packet_callback, store=0) # Wifi
# Windows
#sniff(iface="Ethernet", prn=detector.package_callback, store=0) # Ethernet
except Exception as e:
print(f"Erreur: {e}")
print("Essayez: sudo python3 script.py")
...
With Ethernet
Terminal n°1
sudo nmap -sS -p 1-6000 -T3 192.168.10.22
Terminal n°2
sudo python3 nmap-detector.py
or if you get trouble with Linux:
sudo venv/bin/python nmap-detector.py
Choose the right sniff():
sniff(iface="eth0", prn=detector.packet_callback, store=0) # Ethernet
-T0 (Paranoid) → More stealthy, but impractical on large targets
-T1 (Sneaky) → Very stealthy, usable in real-world conditions
-T2 (Polite) → Moderately stealthy
-T3 (Normal) → Default behavior, detectable on sensitive networks
-T4 (Aggressive) → Easily detectable
-T5 (Insane) → Extremely detectable, packet loss possible
- 👎 Don't use
nmap -sS -p- -T4 (or T5) <IP>
- 👍 A more discreet option (but very slow)
nmap -sS -p- -T2 <IP> # Polite mode
nmap -sS -p- -T1 <IP> # Sneaky mode (more slowly)
- ⏲️ Final deadline check
nmap -sS -p- --scan-delay 500ms --max-rtt-timeout 1500ms <IP>
- 🧚 Use port 80 (HTTP) as the source port—less conspicuous
nmap -sS -p- --source-port 80 <IP>
- ☑️ Maximum stealth: slow + shards + decoys + source port
nmap -sS -p- -T2 -f -D RND:10 --source-port 80 --scan-delay 1s <IP>
--scan-delay 1s
-D RND:10
One-second delay => too long (24–36 hours)
Nmap randomly generates 10 IP addresses
One of these 10 will be your real IP address
The other 9 are random IP addresses that may or may not exist (Nmap does not verify them)
Warning: These decoy IPs will also receive responses from the target (side effect)
- ✅ Maximum discretion without generating invalid IP addresses
nmap -sS -p- -T1 -f --scan-delay 2s --data-length 200 <IP>
# Discretion + reasonable time (for a monitored network)
nmap -sS -p- -T2 --max-retries 1 --min-rate 10 <IP>
# --min-rate 10 = at least 10 packets per second (much faster but quiet)
Found a bug? Have an idea? Open an issue or submit a PR.
If this tool helped you understand network security better, star this repo to help others find it!
Made with 🐍 and ☕ by me
Enjoy 🐨 !