search

Passive nmap (smap)

Port scanning without touching your target

LogoGitHub - s0md3v/Smap: a drop-in replacement for Nmap powered by shodan.ioGitHubchevron-right

hashtag
SMAP

Smap is a useful tool that queries https://internetdb.shodan.io/arrow-up-right, a free API offered by Shodan. Its additional value is derived from the fact it can output data in nmap based formats, which can be ingested by other tools existing import options (E.g; Witnessme).

A slight issue exists in that every IP scanned is a separate GET request, so for scanning large ranges you quickly hit rate limiting resulting in unexpected output.

This can be bypassed by rotating your IPs. An easy way to do it is to set up an AWS API gateway pointing to the internetdb API, and patching out the URL within the smap binary.

  1. API Gateway

For this you can utilise fireprox, a handy tool for quickly spinning up API gateways.

2. Smap patching

Modify the smap binary to use your API gateway - this URL is within `shodan.go`.

3. Scan without rate limits

hashtag
Filtering results to gain further insight

Often it can be challenging to filter useful information out of 1000s of IPs; one method I've found useful is categorising IPs into files based on the available ports. The following code will create a series of files for each open port filled with the IPs that have that port open.

I find it makes unusual ports stand out a little easier, as one method for flagging up interesting targets.

Or as a oneliner:

PreviousO365 email enumerationNextLarge IP list handling

Last updated

Was this helpful?