By BadgerOps in infosec

Introducing Graphēon

"Network enumeration shouldn't require a PhD in Visio. So I built something."

Long time, no post! (I know, I know.)

So. You're a blue teamer, or a red teamer, or maybe just the person in the room who got volun-told to "map out the network." You fire up nmap, run some scans, maybe throw in some arp -a and netstat output for good measure. And then... you stare at a wall of XML, CSV, and text output trying to mentally correlate which hosts talk to which other hosts, what services are where, and how it all fits together.

Sound familiar?

The Conversation

This project started, as many things do, with a conversation with a co-worker. We were talking about the struggle of building a network map when you're enumerating a new environment. Whether you're on the defensive side trying to understand what you're protecting, or on the offensive side trying to figure out what's interesting - the problem is the same:

You have multiple tools generating multiple outputs in multiple formats, and somehow you need to correlate all of that into something resembling a coherent picture of the network.

The typical workflow looks something like this:

  1. Run nmap scans
  2. Maybe grab some netstat output from hosts you have access to
  3. Throw in some arp tables
  4. Possibly a traceroute or two
  5. Open up Visio, draw.io, or (even better?) a whiteboard
  6. Manually start connecting dots

And by "connecting dots" I mean squinting at IP addresses across 14 terminal tabs and praying you don't accidentally mistype 192.168.1.14 as 192.168.1.41 in your diagram.

Has anyone actually enjoyed this process? Ever?

Enter Graphēon

Graphēon is a tool designed to help quickstart the network enumeration process using standard tooling and correlation. The idea is simple: you feed it the output from tools you're already using - nmap, netstat, arp, ping, traceroute, pcap - and it normalizes, tags, and correlates that data into an interactive network graph.

No more copy-pasting IP addresses between terminal windows. No more manually drawing boxes in Visio at 2am.

The stack is FastAPI + SQLite on the backend and Vite + React on the frontend. Python 3.12. Nothing exotic, nothing that requires a cluster of 47 microservices to deploy.

What it does

  • Ingests scan outputs from nmap, netstat, arp, ping, traceroute, and pcap files
  • Normalizes the data - because every tool has its own special way of reporting the same information
  • Tags entities and correlates related hosts across different scan sources
  • Visualizes the resulting topology as an interactive network graph
  • Exports to GraphML (for Gephi, yEd, Cytoscape) or draw.io format

That last point is important. Graphēon isn't trying to replace your favorite graph tool. It's trying to get you from "pile of scan data" to "usable network map" as fast as possible, and then let you take that map wherever you need it.

Why the name?

Naming is hard. So I asked my good friend Claude for some help, after throwing a bunch of ideas at it. The name evokes graphing and mapping. The project fuses disparate network signals into a coherent graph of hosts, edges, and topology. Also, it sounds cool and the domain wasn't taken. (Priorities.)

Getting Started

Graphēon runs as two Docker containers - a backend and a frontend. The frontend proxies /api requests to the backend. Deployment is pretty straightforward:

# Pull images
docker pull ghcr.io/badgerops/grapheon-backend:latest
docker pull ghcr.io/badgerops/grapheon-frontend:latest

# Run backend
docker run -d --name grapheon-backend \
  -p 8000:8000 \
  -v grapheon-data:/app/data \
  -e JWT_SECRET="$(openssl rand -hex 32)" \
  -e LOCAL_ADMIN_USERNAME=admin \
  -e [email protected] \
  -e LOCAL_ADMIN_PASSWORD=changeme \
  ghcr.io/badgerops/grapheon-backend:latest

# Run frontend
docker run -d --name grapheon-frontend \
  -p 8080:8080 \
  --link grapheon-backend:grapheon-backend \
  ghcr.io/badgerops/grapheon-frontend:latest

Hit http://localhost:8080 and you're in business.

(And yes, please change the default password. I've learned a thing or two about hard-coded creds.)

It also supports OIDC authentication with Okta, Google, GitHub, GitLab, and Authentik if you want proper multi-user RBAC. Check out the docs/auth_provider.md in the repo for that setup.

Current State & What's Next

Graphēon is currently at v0.8.x - it's usable, it's useful, but it's not "done" (is any project ever done?). There are open issues and plenty of room for improvement.

If you're someone who regularly deals with network enumeration - whether as a pen tester, SOC analyst, incident responder, or that one infra person who inherited a network with zero documentation - give it a spin. File issues. Submit PRs. Tell me what's broken.

The project is BSD-2-Clause licensed, because sharing is caring.

The TL;DR

Network enumeration produces a lot of data from a lot of tools. Graphēon takes that data and turns it into a network graph so you can stop playing "human correlator" and start actually analyzing your network.

Check it out: https://github.com/BadgerOps/grapheon

-BadgerOps