A self-hosted network security reconnaissance platform
Netwatch is a self-hosted platform for continuous network reconnaissance and security monitoring.
It continuously scans your network for exposed ports, outdated software, and potential vulnerabilities. All gathered data is accessible through a RESTful HTTP API or a user-friendly web interface, where you can search for specific banners or identify outdated services.
It fully supports both IPv4 and IPv6, just provide one or more subnets in CIDR notation or individual IP addresses and Netwatch will automatically start active monitoring with advanced service detection. Even if a host doesn't have a single open port it will still be stored in the database with the results of its auxiliary scripts (DNS blacklists, geolocation, etc.) and just to appear tuff there is also the possibility to generate and download PDF AI reports for hosts with open ports.
Network scan results take time, that means you won't see any result at first because the scanning process needs to cycle through all the targets you've configured, analyze open ports, fingerprint services, and correlate potential vulnerabilities. Depending on the size of the network, this could take several minutes or even hours.
Netwatch is powered by several robust open-source tools:
- A custom-built TCP scanner, Netrunner (wraps nmap & vulners)
- Nmap for active scanning and enumeration with NSE
- Vulners for CVE correlation
- Data storage using MongoDB
- A minimal RESTful API built with FastAPI
- A web dashboard implemented via Streamlit
- AI analysis and reporting with Gemini
By default Netwatch scans the top 1000 ports for each host. This list is taken from Shodan stats with the following bash script. Feel free to update, expand or reduce the list with your own favorite
Netwatch is deployable with Docker. Before starting, navigate into the netwatch/install directory and generate a new pair of credentials using creds.sh, then return to the main directory to start the installation.
Credentials are hashed using bcrypt and stored in
/opt/netwatch/credsduring the container execution. Before runningcreds.shensure Python 3 and the bcrypt package are installed on your system.
Ensure that you have enough hardware resources, a reliable network connection and Docker installed on your system.
Deployment is quick and easy using Docker Compose. Simply run the following command:
sudo docker compose up -d --buildThis will start two containers and launch the entire platform.
Once started, the web dashboard will be available at localhost:8503
After the host discovery pre-scan (to see which hosts are alive) each scan is dinamically subdivided in chunks of about max /28 (16 hosts) subnets and then sequentially executed to avoid network throttling, with minimum parallelism of 48 concurrent operations per chunk (len(chunk)*3)
So if a single host is specified in the input field the minimum parallelism parameter would be just 3.
Netwatch writes logs to src/activity.log
To access those logs inside the container:
sudo docker exec -it netwatch cat activity.logThe full API documentation is available at localhost:8504/docs
Important: The auth-less API and dashboard are accessible on your local network by default.
If you plan to expose Netwatch outside of your LAN, it is highly recommended to place it behind a reverse proxy (e.g., Traefik, Nginx) with HTTPS and access controls enabled exposing only the dashboard (port8503) to grant proper authentication.
Tip: Need help identifying CIDR blocks for external hosts/networks of specific companies? You can use tools like bgp.he.net to search for ASN or IP ranges ownership info.
