Skip to main content

Black-box service discovery, classification, and adaptive scan routing

Project description

Driftmux logo

PyPI Version Python Version CI License

Black-box service discovery, classification, and adaptive scan routing


Driftmux is a black-box auditing tool focused on service discovery, classification, and adaptive scan routing.

It starts by probing a target surface, identifies exposed services and technologies, and then routes each finding to the most suitable scanner. Instead of treating every host the same way, Driftmux adapts its scanning workflow based on what it discovers.

For example:

  • generic network discovery with Nmap
  • web and exposed service vulnerability checks with Nuclei
  • WordPress-specific assessment with Plecost

Driftmux is designed as an orchestrator, not as a monolithic scanner.


Features

  • Black-box service discovery
  • Technology-aware scan routing
  • Structured output for automation and CI
  • Multiple output formats
  • Modular scanner integration
  • Lightweight CLI workflow
  • Extensible architecture for new service detectors and scanners

Why driftmux?

Many security tools are powerful but noisy. driftmux focuses on orchestration and correlation: it uses existing tools, normalizes their output and decides what should run next.

Feature driftmux Raw Nmap Raw Nuclei Full scanners
Service discovery Yes Yes No Yes
Version/CPE parsing Yes Yes No Yes
Vulnerability enrichment Yes No Template-based Yes
Targeted Nuclei execution Yes No Manual Varies
Scan planning Yes No No Varies
Lower-noise profiles Yes Manual Manual Varies
Structured final report Yes XML/text JSONL/text Varies
Lightweight and scriptable Yes Yes Yes Often heavier

driftmux is not a replacement for Nmap, Nuclei or dedicated scanners. It is a thin coordination layer that makes them easier to combine.

How it works

Driftmux follows a simple pipeline:

  1. Discover exposed ports and services
  2. Classify detected applications and technologies
  3. Route targets to specialized scanners
  4. Aggregate findings into a common data model
  5. Render results as console output, JSON, CSV, or Markdown

Example routing logic:

  • WordPress detected → Plecost
  • HTTP/HTTPS services detected → Nuclei
  • Generic open ports detected → Nmap fingerprints

Installation

Requirements

  • Python 3.10+
  • nmap
  • nuclei
  • plecost

Clone the repository

git clone https://github.com/<your-user>/driftmux.git
cd driftmux

Install the Python package

python3 -m venv .venv
source .venv/bin/activate
pip install -e .

External tools

Depending on the features you use, install Nmap:

sudo apt install nmap

Nuclei and Plecost are optional, but required for their respective checks.

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
pip install plecost

Optional OpenStack support

OpenStack auditing requires openstacksdk:

pip install openstacksdk

Usage

Basic scan:

driftmux --host example.org

Scan a specific IP:

driftmux --host 205.87.65.183

Scan known ports:

driftmux --host example.org --ports 80,443,8443

Run with NVD enrichment:

driftmux --host example.org \
  --vuln-backend nvd \
  --min-cvss 7.0

Run a fast profile:

driftmux --host example.org --profile fast

Run a passive profile:

driftmux --host example.org --profile passive

OpenStack Neutron security group audit

Driftmux can audit OpenStack Neutron security groups to detect public exposure of critical ports without accessing the guest virtual machines.

This mode queries the OpenStack API and analyses Neutron security group rules. It is useful for cloud administrators who want to detect risky network exposure at the OpenStack layer.

Example:

driftmux --openstack-sg-audit --os-cloud admin --format markdown

## Example output

```text
$ driftmux --host 205.87.65.183  --profile passive   --vuln-backend nvd   --min-cvss 7.0
[205.87.65.183]
Services: 1 | Findings: 4 | Errors: 1
  - 22/tcp     ssh          OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 [ssh]
  * CRITICAL nvd: CVE-2008-3844 affects OpenSSH
  * HIGH nvd: CVE-2024-6387 affects OpenSSH
  * HIGH nvd: CVE-2026-35385 affects OpenSSH
  * HIGH nvd: CVE-2023-51767 affects OpenSSH

Saved report to reports/driftmux-report.json

Scan profiles

Profile Purpose Active checks
passive Conservative discovery and enrichment No
passive + NVD Conservative discovery and enrichment Yes
fast Practical day-to-day checks Limited
deep Broader authorized assessment More extensive

Use passive for low-noise review, fast for regular checks and deep only when you have explicit authorization for a more complete assessment.


Roadmap

Planned or possible improvements:

  • OS detection support from Nmap XML;
  • clearer handling of tcpwrapped services;
  • improved Nuclei target planning;
  • richer JSON and HTML reports;
  • optional SARIF export;
  • better test coverage for planners and scanners.

Disclaimer

driftmux is provided for defensive and authorized security work only. You are responsible for complying with all applicable laws, regulations and rules of engagement.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

driftmux-1.1.1.tar.gz (37.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

driftmux-1.1.1-py3-none-any.whl (37.3 kB view details)

Uploaded Python 3

File details

Details for the file driftmux-1.1.1.tar.gz.

File metadata

  • Download URL: driftmux-1.1.1.tar.gz
  • Upload date:
  • Size: 37.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for driftmux-1.1.1.tar.gz
Algorithm Hash digest
SHA256 c88e25095cfb56b8a27b44332306b63b52200a3dd8f2c4e94d853fb3662ff415
MD5 03b9cfd096a6591787371b51dfb30e91
BLAKE2b-256 e5663e821acf5d0568868fee7925099569b9a3616457031ebaea2bfb7e52ee23

See more details on using hashes here.

Provenance

The following attestation bundles were made for driftmux-1.1.1.tar.gz:

Publisher: pypi-publish.yml on aidaph/driftmux

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file driftmux-1.1.1-py3-none-any.whl.

File metadata

  • Download URL: driftmux-1.1.1-py3-none-any.whl
  • Upload date:
  • Size: 37.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for driftmux-1.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 cd3cb46d1180986381229cff382e8abcecf782bdcfc404b25192fb028b3a6fb1
MD5 de7cfe0490ed25d7b4eeeec625cba322
BLAKE2b-256 eaddea1750ccb5a7752317de8cfb457044e52f65077f59968e3673200fd28e56

See more details on using hashes here.

Provenance

The following attestation bundles were made for driftmux-1.1.1-py3-none-any.whl:

Publisher: pypi-publish.yml on aidaph/driftmux

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page