- Go 100%
| abuse.go | ||
| archive.go | ||
| asn.go | ||
| cidr.go | ||
| ct.go | ||
| dns.go | ||
| dnssec.go | ||
| dnswire.go | ||
| errors.go | ||
| findings.go | ||
| fmtcompat.go | ||
| go.mod | ||
| httpcheck.go | ||
| internetdb.go | ||
| leads.go | ||
| local.go | ||
| main.go | ||
| main_test.go | ||
| output.go | ||
| path.go | ||
| ports.go | ||
| publicintel.go | ||
| rdap.go | ||
| README.md | ||
| tlscheck.go | ||
| webfiles.go | ||
checknet
checknet is a Go command-line tool for defensive network reconnaissance,
network identification, and attack-surface review.
It is designed to produce a practical report from the machine where it is run: local network posture, target ownership and DNS data, passive public intelligence, web and TLS metadata, optional authorized path and TCP checks, and structured findings with evidence.
checknet does not provide stealth, evasion, exploitation, brute forcing, or
unauthorized scanning features. Active checks are explicit and should only be
used against systems you own or have permission to assess.
Capabilities
Local Network Context
checknet records useful context about the host running the tool:
- Hostname
- Network interfaces and addresses
- DNS resolvers from
/etc/resolv.conf - Resolver health checks
- Linux route table when available
- Linux ARP cache when available
- Listening TCP and UDP sockets from
/proc/net - Public IP address lookup when reachable
This helps distinguish target-side evidence from local network or sandbox constraints.
Target Identification
Supported target forms:
- Domain name:
example.com - URL:
https://example.com/path - IP address:
1.1.1.1 - CIDR block:
192.0.2.0/24
URLs are normalized to their host. CIDR targets are summarized; checknet does
not perform CIDR-wide port sweeps.
DNS and DNSSEC
DNS collection includes:
- A
- AAAA
- PTR
- CNAME
- MX
- NS
- TXT
- SPF extraction
- DMARC extraction
- SOA
- CAA
- Common SRV records
- DNSSEC DS records
- DNSSEC DNSKEY records
Some records are collected through direct DNS wire queries to configured resolvers. If the operating system or sandbox blocks UDP sockets, the resolver check and direct DNS sources will report structured permission errors.
Ownership and Routing Intelligence
checknet enriches resolved IP addresses with:
- ASN
- Announced prefix
- Registry
- Country
- Allocation date
- ASN name
ASN data is collected through Team Cymru DNS services.
Passive Public Intelligence
For domain targets, checknet can collect and correlate passive public data:
- Certificate Transparency names from
crt.sh - HackerTarget hostsearch results
- urlscan public search results
- Internet Archive CDX history
- Shodan InternetDB data for resolved public IPs
- RDAP registration data
Passive data is treated as lead generation. It should be validated before being treated as proof of current exposure.
Asset Inventory
Domain runs produce an asset inventory built from:
- The root target
- Certificate Transparency names
- Public passive host sources
- DNS resolution
- ASN labels
- Name-based tags
Example tags include:
adminapici-cddatabaseidentityloggingmonitoringnon-prodremote-accesssource-control
Web Review
HTTP and HTTPS checks collect:
- Status code and final URL
- Redirect chain
- Page title
- Server and
X-Powered-Byheaders - Content type and sampled body size
- Security header presence
- Technology fingerprints
- Script references
- API, admin, auth, token, OAuth, and GraphQL hints
robots.txtsitemap.xml
TLS Review
TLS inspection on port 443 includes:
- TLS version
- Cipher suite
- Negotiated protocol
- Certificate subject
- Certificate issuer
- Validity window
- Days until expiry
- SAN DNS names and IP addresses
- SHA-256 certificate fingerprint
- Verification status and verification error
Optional Active Checks
Active checks are explicit.
Port checks use ordinary TCP connect attempts:
checknet --ports 22,80,443 example.com
Deep profile expands the default checked ports and requires authorization:
checknet --authorized --profile deep 192.0.2.10
Path tracing also requires authorization:
checknet --authorized --path example.com
checknet uses tracepath or traceroute if available.
Findings
The report starts with a summary and findings before raw evidence.
Findings currently cover:
- Sensitive services reported open by active checks
- Sensitive services reported by Shodan InternetDB
- Passive CVE leads from Shodan InternetDB
- TLS expiry and verification failures
- Missing SPF or DMARC on mail-enabled domains
- Missing CAA records
- Missing DNSSEC delegation evidence
- Missing important HTTP security headers
- Plain HTTP endpoints that do not redirect to HTTPS
- Sensitive asset name patterns
- Historical admin, login, API, auth, token, or GraphQL URLs
- Local services listening on all interfaces
- AbuseIPDB reputation scores
Findings include severity, category, title, evidence, and advice.
Error Handling
checknet is built to return partial evidence. A failed source should not
discard the rest of the report.
Errors are structured in JSON and annotated in text output:
stage: subsystem that failedseverity:info,warn,fatal, orcriticalkind: error class such astimeout,permission,dns,rate-limit,network,parse, orvalidationsource: source-specific context when availableretryable: whether retrying later or increasing timeout is likely usefulerror: original error texthint: operator guidance
Runtime panics are recovered and reported as critical tool errors so partial results can still be emitted.
Fatal or critical report errors cause a nonzero exit code after the report is printed.
Installation
Build From Source
git clone https://github.com/segaskid/checknet.git
cd checknet
go build -o checknet .
Run:
./checknet example.com
Run Without Installing
go run . example.com
Usage
checknet [flags] <ip|domain|url|cidr>
Common examples:
checknet example.com
checknet --profile passive example.com
checknet --format json example.com
checknet --json example.com
checknet --ports 22,80,443 1.1.1.1
checknet --authorized --path example.com
checknet --authorized --profile deep 192.0.2.10
ABUSEIPDB_KEY=... checknet --ports 80,443 example.com
Profiles
passive
Passive profile avoids direct HTTP and TLS checks against the target.
checknet --profile passive example.com
Includes local context, DNS, RDAP, passive public sources, ASN data, and reputation sources when configured.
standard
Default profile.
checknet example.com
Includes passive collection plus HTTP and TLS review.
deep
Expanded authorized profile.
checknet --authorized --profile deep example.com
Requires --authorized. Adds the broader built-in TCP port profile.
Important Flags
Output:
--format text
--format json
--json
Runtime:
--timeout 30s
--concurrency 64
--max-assets 100
--user-agent "checknet/0.5.0"
Source controls:
--no-dns
--no-rdap
--no-http
--no-tls
--no-ct
--no-archive
--no-internetdb
--no-public-intel
Active checks:
--ports 22,80,443
--ports 8000-8010
--authorized --path
--authorized --profile deep
Reputation:
--abuseipdb-key <key>
or:
ABUSEIPDB_KEY=<key> checknet example.com
Output
Text output is optimized for terminal review:
- Header and summary
- Findings
- Local context
- DNS and DNSSEC
- ASN and asset inventory
- Passive intelligence
- RDAP
- TLS
- HTTP
- Ports
- Reputation
- Notes and errors
JSON output contains the same evidence in structured form:
checknet --json example.com
Use JSON for automation, pipelines, archival, or diffing runs over time.
Exit Codes
0: report completed without fatal or critical errors1: report printed, but fatal or critical report errors were present2: command-line usage or flag validation error
Best-effort source failures such as rate limits, unavailable passive sources, or network timeouts are normally reported as warning errors and do not prevent other evidence from being returned.
Data Sources
Local:
- Network interfaces
/etc/resolv.conf/proc/net/route/proc/net/arp/proc/net/tcp/proc/net/tcp6/proc/net/udp/proc/net/udp6
Network and public sources:
- System DNS resolver
- Direct DNS queries to configured resolvers
- Team Cymru ASN DNS
crt.sh- HackerTarget hostsearch
- urlscan public search
- Internet Archive CDX
- Shodan InternetDB
- RDAP through
rdap.org - AbuseIPDB when an API key is provided
- Target HTTP/HTTPS services when enabled
- Target TLS service on port 443 when enabled
Safety Model
checknet separates passive enrichment from active checks.
Passive and public-source collection can still contact third-party services such
as crt.sh, urlscan, Internet Archive, RDAP, Team Cymru, and Shodan
InternetDB. Use the --no-* flags to disable sources that are out of scope for
an engagement.
Active target interaction includes:
- HTTP/HTTPS requests
- TLS handshakes
- TCP port checks
- Path tracing
Use active checks only where authorized.
Limitations
- Passive sources may be stale, incomplete, rate-limited, or unavailable.
- InternetDB CVEs are leads, not proof of exploitability.
- Technology fingerprints are heuristic.
- DNS results depend on the resolver and network where the tool runs.
- Some local context is Linux-specific.
- Sandboxes may block UDP, raw sockets, route inspection, or path tracing.
- CIDR targets are summarized;
checknetdoes not perform network-wide sweeps.
Development
Run tests:
go test ./...
If the default Go build cache is not writable in a sandboxed environment:
GOCACHE=/tmp/checknet-gocache go test ./...