Smap is a port scanner built with shodan.io's free API. It takes same command line arguments as Nmap and produces the same output which makes it a drop-in replacament for Nmap.
- Scans 200 hosts per second
- Doesn't require any account/api key
- Vulnerability detection
- Supports nmap's output formats
- Service and version fingerprinting
- Makes no contact to the targets
- Optional active verification with nmap
You can download a pre-built binary from here and use it right away.
go install -v github.com/s0md3v/smap/cmd/smap@latest
Confused or something not working? For more detailed instructions, click here
Smap is available on AUR as smap-git (builds from source) and smap-bin (pre-built binary).
Smap is also avaible on Homebrew.
brew update
brew install smap
Smap takes the same arguments as Nmap but options other than -p, -h, -o*, -iL, --concurrency, --append-output, --active are ignored. If you are unfamiliar with Nmap, here's how to use Smap.
smap 127.0.0.1 127.0.0.2
You can also use a list of targets, seperated by newlines.
smap -iL targets.txt
Supported formats
1.1.1.1 // IPv4 address
example.com // hostname
178.23.56.0/8 // CIDR
1.1.1.1-20 // IPv4 range
Smap supports 6 output formats which can be used with the -o* as follows
smap example.com -oX output.xml
If you want to print the output to terminal, use hyphen (-) as filename.
Supported formats
oX // nmap's xml format
oG // nmap's greppable format
oN // nmap's default format
oA // output in all 3 formats above at once
oP // IP:PORT pairs seperated by newlines
oS // custom smap format
oJ // json
Note: Since Nmap doesn't scan/display vulnerabilities and tags, that data is not available in nmap's formats. Use
-oSto view that info.
Smap scans these ~4000 ports by default. If you want to display results for certain ports, use the -p option.
smap -p21-30,80,443 -iL targets.txt
Use --active to make Smap verify passive hits with your local nmap. It will first collect passive hits from InternetDB and then run nmap only on the hosts and ports it found open.
smap --active -Pn -sV --version-light 1.1.1.1
This mode forwards nmap-compatible flags to nmap and keeps Smap-specific ones for itself. -oS, -oJ and -oP are supported with --active only when they write to a file, not stdout.
If you use NSE scripts, -oJ and -oX keep the structured script data.
This can save time if passive data is good enough for your use case.
Smap defaults to 3 workers to avoid hitting Shodan too aggressively. You can change that with --concurrency.
smap --concurrency 5 -iL targets.txt
Since Smap simply fetches existent port data from shodan.io, it is super fast but there's more to it. You should use Smap if:
- vulnerability detection
- a super fast port scanner
- no connections to be made to the targets
- not being able to scan IPv6 addresses
- results being up to 7 days old
- some rare unreliable software detection when not using
--active
Note: if you use
--active, Smap will runnmapagainst the target and make active connections.