// the find
s0md3v/Smap
a drop-in replacement for Nmap powered by shodan.io
Smap is a passive port scanner that queries Shodan's InternetDB instead of touching the target directly. It accepts Nmap flags and produces Nmap-compatible output, so it drops into existing workflows without changes. Useful for recon where stealth matters or when you want fast bulk results without burning through network connections.
The no-contact-to-target guarantee is the main reason to use this — useful for legal/ethical recon where active probing is out of scope. The Nmap flag compatibility is genuinely well-executed; output formats (XML, grepable, JSON) are faithful enough that downstream tooling doesn't notice the difference. The --active hybrid mode is a smart design: collect passive hits first, then run real Nmap only on confirmed-open ports, which can cut active scan time significantly on large target lists. InternetDB queries are unauthenticated, so there's no API key to manage or rate limit to babysit for basic use.
Data is up to 7 days stale by Shodan's own admission — this is fine for survey work but useless if you need current state, like verifying a patch was applied. The ~4000 ports Shodan indexes are a fixed universe; anything running on an unusual port is invisible unless you go fully active. IPv6 is unsupported entirely, which is an increasingly real gap as more infrastructure dual-stacks. The codebase is compact but maintenance has been slow — last meaningful activity is sporadic and the project feels in caretaker mode rather than active development.