View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009728Kali LinuxNew Tool Requestspublic2026-06-05 11:312026-06-05 11:31
Reporterifritnoises Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009728: Screamer - Fast Subnet Discovery
Description

[Name] - Screamer
[Already packaged] - Yes, https://gitlab.com/ifritnoises/screamer/-/tree/main/debian
[Willingness to package] - Yes, the author maintains the Debian packaging and will keep it updated.
[Version] - 0.2.0
[Activity] - Started 2026, actively maintained. Available in the AUR. Latest tagged release v0.2.0
[Homepage] - https://github.com/ifritnoises/screamer
[Download] - https://github.com/ifritnoises/screamer/archive/refs/tags/v0.2.0.tar.gz
[Author(s)] - Ifrit, [email protected]
[License] - MIT, applies to the entire codebase.
[Description] - Screamer is a network reconnaissance tool designed for fast subnet discovery under conditions with unknown network addressing. Instead of scanning all hosts, it heuristically probes likely gateway addresses across subnets, tracing router hops to discover the subnets behind them.
[Features] -

  • Heuristic subnet discovery: probes likely gateway positions (.1, .254 by default, configurable) instead of sweeping full ranges
  • TTL-based hop tracing to map routers and reveal subnets behind them
  • Multi-protocol active probing to bypass ACLs: ICMP Echo and Timestamp, TCP, UDP
  • Tunnel/header-less interface support via per-thread L3RawSocket (--tunnel, --tunnel-iface)
  • Topology export to DOT/Graphviz and detected subnet lists
  • Passive host discovery; pcap parse mode works without root

[Update and/or dependency checking] - No auto-update mechanism. No runtime dependency-checking routine; dependencies are resolved at install time via packaging.
[Programming language] - Python (>=3.7), setuptools via pyproject.toml
[Hardcoding] - No hardcoded absolute paths
[Dependencies] - python3, python3-colorama, python3-scapy. Requires root (raw sockets)
[Missing] - None. All dependencies are present in the Kali/Debian repositories.
[Old] - None. No pinned or outdated dependency versions required.
[Kaboxer] - No. Lightweight Python CLI tool, all deps are native Debian packages.
[Similar tools] - traceroute, netdiscover, arp-scan:

  • traceroute maps the path to a single known destination; Screamer instead infers unknown subnets by probing likely gateways and tracing hops to what lies behind them
  • netdiscover and arp-scan operate at layer 2 (ARP) and only enumerate hosts on the local segment; they cannot discover remote subnets across router hops
  • Screamer targets the specific problem of mapping unknown addressing across multiple subnets without exhaustive scanning - a gap none of the above fill

[How to install] - Standard Python packaging (setuptools via pyproject.toml)
[System-wide installation] - Yes
[How to use] - Active Reconnaissance, Passive Reconnaissance

sudo screamer active 172.16.0.0/12 -m udp --dport 123 --max-ttl 5 --out-dot graph.dot --out-subnets subnets.txt
sudo screamer passive --iface eth0

[Writeup] - https://ifritnoises.org/articles/pattern-screamer
[Pentest use case] - During internal network penetration tests or red-team engagements where addressing is unknown, Screamer rapidly maps reachable subnets behind gateways without noisy full-range scans, giving an early topology picture for scoping further enumeration.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2026-06-05 11:31 ifritnoises New Issue