Welcome to the Nebula-Watcher
First i would like to thank the All-Mighty God who is the source of all knowledge, without Him, this would not be possible.
Nebula-Watcher offers a method for ethical hackers to monitor the IP addresses and ports that they have engaged with during a penetration test. It serves as a visual tool to ensure comprehensive coverage of all intended IP addresses and ports under examination.
- Parses NMAP scan results (in plain text format) from a specified directory and returns only IP addresses with open ports.
- Monitors network connections and matches them against the parsed NMAP scan results.
- Generates a visual diagram depicting the activity, with different colors indicating the type of connection.
- Periodically updates the diagram, maintaining a history of the ethical hacking activity.
Example
Before connecting to port 443:
After connecting to port 443:
The easiest way to get started is to use the docker image.
Docker:
Pulling the image:
docker pull berylliumsec/nebula_watcher:latest
Running the image docker image :
docker run --network host -v directory_that_contains_nmap_results/nmap_plain_text:/app/results -v where/you/want/the/diagram:/app/output berylliumsec/nebula_watcher:latest
To change the diagram name from the default:
docker run --network host -v directory_that_contains_nmap_results/nmap_plain_text:/app/results -v where/you/want/the/diagram:/app/output berylliumsec/nebula_watcher:latest python3 nebula_watcher.py --diagram_name /app/your_diagram_name
PIP:
pip install nebula-watcher
To run nebula-watcher simply enter:
nebula-watcher
Utilizing Nebula-Watcher is straightforward. Simply execute the tool, whether through the installed pip package or Docker. It will then autonomously monitor the IP addresses and ports you've engaged.
- --results_dir : Specify the directory containing NMAP scan results. (Default: ./results)
- --diagram_name : Specify the name for the generated diagram. (Default: hacking_activity)
- --clear_state : Use this flag if you want to start the script without using the previous state. This can be helpful for debugging purposes.
- --help: display the above options.
IMPORTANT
-
Ensure that your plain-text NMAP results are located within a directory titled results situated in the current working directory. If you intend to utilize a custom directory, please reference the aforementioned options for guidance.
-
By default, the generated diagram will be saved in the current working directory with the name ethical_hacking_activity.png. However, you have the flexibility to specify an alternate filename, as detailed in the provided options.
-
In cases where there is a significant number of IP addresses with open ports, it might be necessary to zoom into the diagram for clarity.
-
The monitoring tool creates a state.json file in the current working directory. This ensures the preservation of states even post-closure of the monitoring tool.
-
For accurate results, it is recommended to initiate Nebula-Watcher only after completing your general scans. Initiating beforehand may lead to the tool interpreting that all IPs and ports have been engaged during testing.
- The script first parses the NMAP scan results to identify open ports on different IP addresses.
- It then monitors live network connections on the machine it's running on.
- When a network connection matches an IP and port from the NMAP results, the color of the arrow goes from red to blue on the diagram.
- The diagram is periodically updated to reflect the current state of the network connections.