replica of nmap that uses shodan's free API for scanning

  • By Somdev Sangwan
  • Last update: Jan 9, 2023
  • Comments: 12


Smap logo

passive Nmap like scanner built with shodan.io

Smap demo


Smap is a replica of Nmap which uses shodan.io's free API for port scanning. It takes same command line arguments as Nmap and proudces the same output which makes it a drop-in replacament for Nmap.

Features

  • Scans 200 hosts per second
  • Vulnerability detection
  • Supports all nmap's output formats
  • Service and version fingerprinting
  • Makes no contact to the targets
  • Doesn't require any account/api key

Installation

go install -v github.com/s0md3v/smap/cmd/smap@latest

Usage

Smap takes the same arguments as Nmap but options other than -p, -h, -o*, -iL are ignored. If you are unfamiliar with Nmap, here's how to use Smap.

Specifying targets

smap -sV 127.0.0.1 127.0.0.2

You can also use a list of targets, seperated by newlines.

smap -iL targets.txt

Supported formats

1.1.1.1         // IPv4 address
example.com     // hostname
178.23.56.0/8   // CIDR
1.1.1.12-87     // Range

Output

SMap supports Nmap's 3 major output formats

smap example.com -oX output.xml

If you want to print the output to terminal, use hyphen (-) as filename.

Supported formats

oX    // xml
oG    // greppable format
oN    // nmap format
oA    // output in all 3 formats at once

Specifying ports

SMap scans these 1237 ports by default. If you want to display results for certain ports, use the -p option.

smap -p21-30,80,443 -iL targets.txt

Considerations

Since Smap simply fetches existent port data from shodan.io, it is super fast but there's more to it. You should use Smap if:

You want

  • vulnerability detection
  • a super fast port scanner
  • results for most common ports (top 1237)
  • no connections to be made to the targets

You are okay with

  • not being able to scan IPv6 addresses
  • results being up to 7 days old
  • a few false negatives

Download

Smap.zip

Comments(12)

  • 1

    Released on aur

    Hi, I start maintaining the the aur for smap.

    Can be found here: https://aur.archlinux.org/packages/smap-git Source can be found here: https://github.com/b-reich/aur

    This could be referenz in the readme if you like. (I can open the PR)

  • 2

    Version string not matching with the release

    This should be bump to 0.1.11 (better 0.1.12 because the source in the releases doenst include this at the moment) https://github.com/s0md3v/Smap/blob/5775197d4407ebf24dff0d87b1c8ca9015e420eb/internal/global/variables.go#L35

  • 3

    Smap not found [linux]

    Hello,

    When we setup the tool it's seems still didn't installed correctly, go installed and confirmed working

    $go version go version go1.17.8 linux/amd64

    sudo go install -v github.com/s0md3v/smap/cmd/smap@latest

    result:

    smap bash: smap: command not found

  • 4

    Renaming module will break the build

    The module name change from github.com/s0md3v/smap will cause an error with the require statement:

    go install -v github.com/s0md3v/smap/cmd/smap@latest
    go.mod:
            module declares its path as: smap
                    but was required as: github.com/s0md3v/smap
    

    By the way I checked out your v.0.1.1 and there is still mismatched tag problem in ther XML output. The port tag is not closed if no service string is found. Can it be you build the releases with the wrong checkout?

  • 5

    Update xml.go

    XML output cannot be parsed by e.g. python. Double "product" element and in case shodan fails to deliver a service string, the port tag is not closed.

  • 6

    [Question] Smap display cve

    Hi,

    With Nmap, if I use vulners scripts, I can have a possible cve list that permit me to know if my system has a cve not patched.

    the following nmap command is: nmap -sV --script vulners

    With Smap, is it possible to have the result in order to know actives cve on network/hosts? If yes, what is the command to execute?

    Thank you Best regars Anthony

  • 7

    add port format A-B

    -p arg can accept A-B format port now

    ./smap 80,90,1-443 1.1.1.1
    Starting Nmap 9.99 ( https://nmap.org ) at 2022-10-19 17:22 CST
    Nmap scan report for one.one.one.one (1.1.1.1)
    Host is up.
    
    PORT    STATE SERVICE  VERSION
    53/tcp  open  domain?  
    80/tcp  open  http?    
    443/tcp open  https?   
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
    
  • 8

    Improper Signature Verification - [VULNERABILITY FIX]

    Affected versions of this package are vulnerable to Improper Signature Verification. An attacker can craft an ssh-ed25519 or [email protected] public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.

  • 9

    Smap not found [windows]

    C:\Users\user>smap
    'smap' is not recognized as an internal or external command,
    operable program or batch file.
    
    C:\Users\user>smap.exe
    'smap.exe' is not recognized as an internal or external command,
    operable program or batch file.
    
  • 10

    feature

    Can we print output like

    example.com:80 example.com:443 example.com:8080 example.com:8888

    sub.example.com:80 sub.example.com:443 sub.example.com:8080 sub.example.com:8888

  • 11

    github actions ci/cd

    This PR allows GitHub Actions to use goreleaser to automatically build Release binaries for you.

    Notes:

    • This only occurs when a tag is created with a command set like:
    CURRENT=1.0.1
    git tag -a "v${CURRENT}" -m "releasing version ${CURRENT}"
    git push origin "v${CURRENT}"
    
    • This also creates a draft release which allows you to review it before publishing to a full release.
  • 12

    Host is up.

    Hi when running smap with just one target it worked perfectly. Then I tried smap -iL ips.txt and all the results were "Host is up." so I tried again with just one target and now I get no results other than "Host is up."