GitHub - ifritnoises/screamer: Fast Subnet Discovery · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

ifritnoises

screamer

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>8 Commits<br>8 Commits

demo

demo

modules

modules

LICENSE

LICENSE

README.md

README.md

pyproject.toml

pyproject.toml

screamer.py

screamer.py

View all files

Repository files navigation

Screamer is a network reconnaissance tool designed for fast subnet discovery under conditions with unknown network addressing. Instead of scanning all hosts, it heuristically probes likely gateway addresses in each subnet and listens to traffic, gathering information about nearby hosts.

The Overview

During a penetration test or infrastructure maintenance, one common challenge comes up: understanding the network topology with unknown or poorly documented addressing, and identifying routing devices and the subnets behind them. Port scanning seemed like the obvious solution, but when applied to large ranges like 10.0.0.0/8, it is costly for two reasons:

Exhaustively scanning all addresses and ports places a significant load on the production equipment, which may be sensitive to such stress

A significant part of the address space may not be used, but this does not shorten the already long scan

This tool manipulates the TTL value. Every IPv4 packet has a TTL field, which is decremented by one at each router (hop). When it reaches zero, the router discards the packet and sends back an ICMP Time Exceeded packet (RFC 792, Page 7), causing the router to reveal its address.<br>By incrementally increasing the TTL value, the tool forces each router along the path to "introduce" themselves in order, creating a chain of hops all the way to the destination. If the destination responds successfully (Echo Reply, Timestamp Reply, TCP ACK, TCP RST, Port Unreachable), this suggests that the subnet is reachable.

Install

Works on Unix-like systems and requires Python 3.7 or later. The tool uses raw sockets and runs as root, so installation via pipx with the --global flag is mandatory: with a user-level installation (~/.local/bin), the command is not included in the root-user's PATH.

sudo pipx install --global git+https://github.com/ifritnoises/screamer

Active Reconnaissance

Active mode sends packets with incrementally increasing TTL values across a specified range and maps the network: which hops exist and which subnets they connect to.

"Screamer" uses multiple protocols, which allows it to get past filters that block one type of traffic but allow another:

ICMP: Ping (Type 8) is often blocked by ACLs, but timestamp request (Type 13) is also available

TCP and UDP: Testing closed ports may trigger an ICMP port unreachable packet (Type 3, Code 3), which confirms that the host is active

screamer active --help

Flag<br>Purpose

-m / --method<br>Protocols in use: icmp-echo (default), icmp-timestamp, tcp, udp

--dport<br>Destination port for TCP/UDP packets

--positions<br>From each /24 subnet, addresses are selected that are most likely to be gateways (by default, .1 and .254). With the --positions flag, these positions can be selected manually.

-t / --threads<br>Number of the threads (default: 30)

--max-ttl<br>Trace depth in hops (default: 5)

--tunnel<br>Use L3RawSocket for tracing in tunnels

--out-dot<br>Save the topology to a DOT file for easy visualization

--out-subnets<br>Save the detected subnets to a file

Demo

Passive Reconnaissance

With sniffing traffic, you can see what's happening in the broadcast domain and which devices are active. The tool supports the following protocols: ARP, NDP, SSDP, CDP, LLDP, DHCP, DHCPv6, LLMNR, NBT-NS and mDNS.

screamer passive --help

Flag<br>Purpose

--iface<br>Interface for live capture

--pcap<br>.pcap file to parse (no root required)

--output<br>Write Matched Packets to pcap (survives CTRL+C)

--timeout<br>Traffic sniffing timeout (auto-writes pcap if --output was not specified)

Demo

Reflections

The TTL tracing method is useful for initial...