- Interactive Setup Wizard: A guided console UI for operators who prefer prompts over flags. Pick a profile (aggressive/normal/stealth) for a short guided flow, or choose custom to unlock the full CLI surface — scan type (incl. UDP/idle + zombie), host discovery, deep recon (
-sV/-O/-sC/--script), pivoting (--pivot/--ssh-opt), the evasion suite, reporting/output formats, and the AI model. Every prompt carries an inline example. - Advanced Evasion Engine: Every packet is unique. ME262 randomizes TTL, TCP Window Size, IP ID, and shuffles TCP Options (MSS, SackOK, WScale) to defeat signature-based detection.
- Full Evasion Suite: App-Layer Spoofing (HTTP/TLS/DNS), Full Connect scans, real SSL/TLS handshakes, Proxy Routing, IP Fragmentation (MTU), decoy scanning, source IP/MAC spoofing, custom TTL, IP options, and bad TCP checksums.
- Closed AI Control Loop: The AI analyst can now actually enact what it recommends — it adjusts the full evasion surface (rate, timing, fragmentation, app-spoofing, proxy, decoys, TTL, checksums …), all validated before being applied.
- Adaptive Detection-Rate Controller: Tracks the live detection rate (alerts ÷ probes over a sliding window) and, when it crosses a configurable threshold, automatically walks an escalating ladder of stealth adjustments — a real No-AI fallback that adapts instead of just pausing.
- Auto-Evade Mode:
--auto-evadelets the scanner converge on a quiet configuration on its own, with no operator prompts. - Pluggable IDS Backends: Run against Suricata behind a single interface — with Snort and Zeek available as experimental backends. Suricata is the fully validated default; Snort/Zeek are implemented but require extra configuration and have not yet been validated end-to-end (see IDS Evaluation & Evasion).
- Evasion Memory: Persists which parameter sets triggered which signatures across runs and feeds that history back to the AI analyst.
- Recon Depth: Optional banner/version grabbing on open ports.
- Multi-Target & CIDR/IPv6: Scan a single host, a comma-separated list, or a whole
10.0.0.0/24range (IPv4 and IPv6). - Session Reporting: Export JSON/CSV results plus an after-action evasion debrief with
--export. - AI-Powered Analyst: Powered by Ollama, the built-in AI analyst reads live IDS logs and provides strategic advice on how to adjust parameters to remain stealthy.
- Stealth SYN Scanning: High-performance, half-open scanning that evades kernel-level connection logging.
- Tunable Scan Profiles: Flip the entire timing/port/timeout posture with a single flag —
-f(aggressive),-n(normal), or-s(stealth) — or override the scan rate (-r) and per-probe timeout (--timeout) directly. - Flexible Port Selection: Pick how ports are chosen with
-p— a strategy (topwell-known ports, arandomsample, asequential1–1024 sweep, or aweightedmix of top + random high ports) or an explicit nmap-style spec such as22,80,443,1-1024,8000-8100, or-for all 65535. Custom ports are probed in randomized order by default; add--in-orderfor a sorted sweep. - Operational Controls: Quiet output that shows only open ports and IDS alerts (
-q), explicit sniff/send interface selection (-I), and independent toggles to run without the AI analyst (--disable-ai) or without IDS monitoring (--disable-ids). - nmap-Compatible CLI: Drop-in nmap flags — scan-type selectors (
-sS/-sF/-sN/-sX/-sA/-sW/-sM,-sU,-sI), host discovery (-sn/-Pn), timing templates (-T0–-T5), fast/top-ports (-F,--top-ports), and deep-recon flags (-sV/-O/-sC/--script) all parse the way nmap users expect. - Native Stealth Scan Types: SYN, FIN, NULL, Xmas, ACK, Window, and Maimon scans, plus native UDP (
-sU) and a native idle/zombie scan (-sI ZOMBIE) for source-anonymous reconnaissance — all driven by ME262's raw evasion engine. - Two-Phase Recon (delegates to nmap): Phase 1 is ME262's native stealth sweep; Phase 2 optionally hands the discovered open ports to the real
nmapbinary for service/version/OS/NSE detection — nmap's 25-year database without ME262 reinventing it. - Pivoting & Tunneling: Route scans through a SOCKS/HTTP proxy chain or a managed
ssh -Dtunnel with--pivot(e.g.--pivot ssh://user@jump:22), so traffic emerges from an exit hop instead of your real IP. - Adaptive Escalation Ladder: Under
--auto-evade, once parameter tuning is exhausted and detection persists, ME262 escalates the scan mode itself — restarting through the pivot, then as an idle scan — or on the operator'sescalatecommand. - nmap-Compatible Output: Write results as nmap XML (
-oX), normal text (-oN), or both (-oA), merging the native Phase-1 findings with Phase-2 service/OS data so the XML drops straight into nmap-aware tooling.
ME262 is "nmap, in its own way": it keeps nmap's CLI and scan types, does the stealth natively, and delegates the database-heavy work to the real nmap.
- Phase 1 — Native stealth sweep. ME262's raw engine runs the chosen scan type (SYN / FIN / NULL / Xmas / ACK / Window / Maimon / UDP / idle) under the AI + IDS adaptive evasion loop and produces the open-port map. This is ME262's edge — per-packet evasion, decoys, spoofing, fragmentation, and the detection-rate controller.
- Phase 2 — Deep recon (opt-in). When you request version/OS/script detection (
-sV/-O/-sC/--script), ME262 shells out to the realnmap, targeted only at the open ports Phase 1 found — so you get nmap's curated service/OS/NSE databases without ME262 trying to out-build 25 years of them.
--pivot routes both phases through a SOCKS/HTTP chain or a managed ssh -D tunnel (Phase 1 degrades to a TCP-connect scan from the exit hop). Through a pivot, Phase 2 is wrapped in proxychains and fails closed — it refuses to run rather than leak your real IP — and -O is skipped (raw OS-fingerprinting can't cross a proxy). The idle scan (-sI ZOMBIE) is the no-tunnel path to source anonymity, bouncing probes off a qualified zombie host.
- Packet Crafting: Scapy (Raw L3/L4 Injection)
- Deep Recon: the real
nmapbinary (Phase 2 service/version/OS/NSE), behind a swappable backend - Pivoting: SOCKS/HTTP proxy chains (PySocks / proxychains-ng) and
ssh -Dtunnels - IDS Engines: Suricata (validated) / Snort / Zeek (experimental) — Interface Monitoring
- AI Analyst: Ollama (local LLM HTTP API)
Ensure you have the following installed on your Kali Linux (or any Debian-based system):
sudo apt update && sudo apt install suricata nmap proxychains4 python3-pip -y
curl -fsSL https://ollama.com/install.sh | shnmap powers Phase-2 deep recon (-sV/-O/-sC/--script); proxychains4 is required only for pivoted Phase-2 recon (--pivot), and ssh for ssh:// pivot hops. ME262 still runs without them — Phase 1 and native scan types are self-contained.
git clone https://github.com/dasokkk/ME262.git
cd ME262
pip install -r requirements.txtsudo python src/main.pyNote: ME262 requires root privileges to craft raw packets and interface with Suricata.
By default, ME262 is configured to use the f0rc3ps/nu11secur1tyAI:latest model, which is specifically fine-tuned for cybersecurity tasks.
If you wish to use a different model (e.g., llama3, mistral, or gemma), you can easily change it in the config.json file:
"ai": {
"model": "your-preferred-model",
"base_url": "http://localhost:11434"
}ME262 includes a "Paranoid Mode" in config.json that enables custom high-sensitivity rules. This allows researchers to test their scanning techniques against expert-level IDS configurations.
"ids": {
"engine": "suricata",
"use_custom_rules": true,
"time_window": 10.0,
"detection_threshold": 0.45,
"snort_config": null,
"zeek_scripts": []
}engine— choosesuricata,snort, orzeek(or pass--ids-engine). Suricata is the validated default. Snort and Zeek are experimental: Snort needs a config (snort_config) to load any rules, and Zeek needs a scan-detection script (zeek_scripts) or it will not raise any notices. Neither has been validated end-to-end yet.use_custom_rules— load ME262's bundled high-sensitivity rules. Stock Suricata/ET rules are tuned for noisy, multi-host activity and often won't flag a single-host stealth scan, so enable this to actually exercise the adaptive controller and the escalation ladder against one target.time_window/detection_threshold— drive the adaptive controller. Whenalerts ÷ probesover the window exceeds the threshold, the No-AI fallback (and--auto-evade) escalate evasion automatically.
Note
If the IDS loop never pauses to adapt, it usually means nothing tripped — a low-and-slow scan against a single host won't fire default rules. Set use_custom_rules: true (or scan a busier target) to see detection → pause → adapt → resume.
by dasokk
- GitHub: dasokkk
| Approach | Argument |
|---|---|
| Hide a scan with decoys | -D DECOY_IP1,DECOY_IP2,ME |
| Hide a scan with random decoys | -D RND,RND,ME |
| Route connections through proxies | --proxy socks5://127.0.0.1:9050 |
| Spoof source MAC address | --spoof-mac MAC_ADDRESS |
| Spoof source IP address | -S IP_ADDRESS |
| Use a specific source port number | -g PORT_NUM |
| Set TTL | --ttl VALUE |
| Set IP Options | --ip-options HEX_STRING (e.g. \x01\x07) |
| Use a bad TCP checksum | --badsum |
| Spoof app-layer payloads | --spoof-app |
| Full TCP handshake (connect) | --full-connect |
| Real SSL/TLS handshake | --ssl-scan |
| Fragment packets | --mtu 16 |
| Grab banners / versions | --banner-grab |
| Auto-adapt on detection | --auto-evade |
| Choose IDS backend | --ids-engine {suricata,snort,zeek} (snort/zeek experimental) |
| Choose a scan profile | -f (aggressive) · -n (normal) · -s (stealth) |
| Select a port strategy | -p {top,random,sequential,weighted} |
| Scan an explicit port set | -p 22,80,443 · -p 1-1024 · -p - (all) |
| Scan custom ports in sorted order | --in-order |
| Set the scan rate (probes/sec) | -r RATE |
| Set the per-probe timeout | --timeout SECONDS |
| Pick the sniff/send interface | -I IFACE |
| Quiet output (open ports + alerts only) | -q |
| Export reports | --export PREFIX |
| Capability | Flag |
|---|---|
| TCP scan types | -sS (SYN) · -sF (FIN) · -sN (NULL) · -sX (Xmas) · -sA (ACK) · -sW (Window) · -sM (Maimon) |
| UDP scan | -sU |
| Idle / zombie scan (source-anonymous) | -sI ZOMBIE[:PORT] |
| Host discovery (ping sweep only) | -sn |
| Skip host discovery | -Pn |
| Fast scan (top 100 ports) | -F |
| Scan the N most common ports | --top-ports N |
| Timing templates | -T0 … -T5 |
| Service / version detection (Phase 2) | -sV |
| OS detection (Phase 2) | -O |
| Default NSE scripts (Phase 2) | -sC |
| Run specific NSE scripts (Phase 2) | --script SPEC |
| Version-detection intensity | --version-intensity 0-9 |
Aggressive — -sV -O -sC (Phase 2) |
-A |
| Pivot through a proxy / ssh chain | --pivot socks5://h:p · --pivot ssh://user@jump:22 |
| Extra ssh options for ssh pivots | --ssh-opt KEY=VALUE |
| Write nmap XML output | -oX FILE |
| Write nmap normal (text) output | -oN FILE |
| Write XML + normal output | -oA BASE |
Note
Two-phase routing: native scan types run in Phase 1; the (Phase 2) flags delegate to the real nmap binary, targeted only at the open ports Phase 1 found. -oX/-oN/-oA merge both phases into one nmap-compatible document.
Note
IP Options: One of the IP header fields is the IP Options field. ME262 lets you control it with --ip-options HEX_STRING, where each byte is written as \xHH (two hexadecimal digits per byte).
This tool is intended for educational purposes and authorized security research only. Unauthorized scanning of networks you do not own is illegal and unethical.