Smap - A drop-in replacement for Nmap powered by shodan.io

Smap - A drop-in replacement for Nmap powered by shodan.io

Admin
June 22, 2025
31 views
Tool

GitHub Repository: https://github.com/s0md3v/Smap

Introduction

Smap is an open-source port scanning tool developed by Somdev Sangwan (s0md3v) that serves as a lightweight, passive alternative to Nmap. By leveraging Shodan.io's free API, Smap fetches pre-existing port data, making it significantly faster than traditional active scanning tools. Designed as a drop-in replacement for Nmap, it supports identical command-line arguments and output formats, allowing users familiar with Nmap to adopt it seamlessly. Below, we explore Smap’s features, installation, usage, and use cases, drawing from its official GitHub repository and related sources.

 

Key Features of Smap

Smap is built for speed, efficiency, and ease of use, particularly in reconnaissance tasks for bug bounty hunting, penetration testing, or network security assessments. Its standout features include:

  • High-Speed Passive Scanning: Smap retrieves port data directly from Shodan.io, enabling it to scan up to 200 hosts per second without directly interacting with target systems, reducing the risk of detection.

  • Nmap Compatibility: It mirrors Nmap’s command-line syntax and supports output formats like XML (-oX), greppable (-oG), default (-oN), all formats (-oA), IP:PORT pairs (-oP), JSON (-oJ), and a custom Smap format (-oS).

  • Vulnerability and Service Detection: Unlike Nmap, Smap provides vulnerability data and service fingerprints (e.g., CPE, protocol, and service names) by tapping into Shodan’s database.

  • No Account Required: Smap operates without needing a Shodan account or API key, making it accessible to all users.

  • Target Flexibility: Supports scanning individual IPs (e.g., 127.0.0.1), hostnames (e.g., example.com), CIDR ranges (e.g., 178.23.56.0/8), or lists of targets via the -iL option.

  • Port Filtering: By default, Smap scans 1,237 common ports but allows users to specify custom ports or ranges (e.g., -p 20-53).

 

However, Smap ignores Nmap options beyond -p (port selection), -h (help), -o* (output formats), and -iL (input list), as it relies on Shodan’s data rather than active scanning.

 

Installation

Smap can be installed on various platforms, including Linux, macOS, and Windows. Below are the primary installation methods:

 

Using Go

  1. Install Go (Golang) on your system.

  2. Run the following command to install Smap:

go install -v github.com/s0md3v/smap/cmd/smap@latest

  1. Verify installation by typing smap in your terminal.

  2. On Linux, if you encounter a “smap not found” error, add Go’s binary path to your ~/.profile

    or

export PATH=$PATH:/usr/local/go/bin

If issues persist, consult your system’s Go path setup guide or download a pre-built binary.

 

Using Pre-Built Binaries

Download a pre-built binary from the Smap GitHub releases page for your operating system and run it directly.

Package Managers

  • Arch Linux: Install via AUR as smap-git (builds from source) or smap-bin (pre-built binary).

  • Homebrew: Smap is available on Homebrew for macOS users.

 

Usage Examples

Smap’s syntax is designed to mimic Nmap, making it intuitive for experienced users. Here are common use cases:

  • Scan a Single Host

smap testphp.vulnweb.com

Scans example.com for open ports using Shodan’s data.

  • Scan Multiple Hosts:

smap 127.0.0.1 127.0.0.2

Scans multiple IPs simultaneously.

  • Scan a CIDR Range:

smap 192.168.1.0/24

Scans an entire subnet.

  • Scan from a File:

smap -iL targets.txt

Reads a list of targets (IPs, hostnames, or CIDR) from targets.txt with entries separated by newlines.

  • Specify Ports:

smap -p 80,443 example.com

Filters results to show only ports 80 and 443

  • Output to File:

smap example.com -oX output.xml

Saves output in Nmap’s XML format.

 

Advantages and Limitations

Why Use Smap?

  • Speed: Ideal for rapid reconnaissance, as it fetches data from Shodan rather than performing active scans.

  • Stealth: Passive scanning avoids direct contact with targets, reducing the chance of triggering intrusion detection systems.

  • Vulnerability Insights: Provides additional data like vulnerabilities and service details not available in standard Nmap scans.

  • Ease of Integration: Nmap-compatible outputs allow integration with existing workflows and tools.

 

Limitations

  • Dependency on Shodan: Smap’s accuracy relies on Shodan’s database, which may not have up-to-date or comprehensive data for all hosts.

  • Limited Options: Only a subset of Nmap’s options (-p, -h, -o*, -iL) are supported, limiting advanced scanning capabilities.

  • Rate Limits: While no API key is required, heavy usage (e.g., scanning >10,000 hosts) may hit Shodan’s rate limits, though this is rare.

  • No Active Scanning: Smap cannot perform active probes, so it’s unsuitable for scenarios requiring real-time interaction with targets.

 

Use Cases

Smap is particularly valuable for:

  • Bug Bounty Hunters: Quickly identify open ports and potential vulnerabilities on target hosts during reconnaissance.

  • Penetration Testers: Use Smap for passive scanning to gather initial intelligence without alerting target systems.

  • Network Administrators: Check for exposed services or vulnerabilities on public-facing systems using Shodan’s data.

  • Security Researchers: Analyze large networks or IP ranges efficiently with CIDR support and JSON output for further processing.

 

Conclusion

Smap is a powerful, fast, and stealthy tool for passive port scanning, making it an excellent complement to Nmap for security professionals and researchers. Its reliance on Shodan.io ensures rapid results and valuable vulnerability data, though it’s limited by its passive nature and Shodan’s data availability. Whether you’re performing reconnaissance for ethical hacking or assessing network security, Smap offers a user-friendly and efficient solution. Download it from GitHub and integrate it into your toolkit today.