In this post I want to explain about the tool smap which allows you to scan networks and ports passively thanks to the power of https://www.shodan.io/. If you don’t know about shodan.io yet, I will create another post to explain what the tool does and what passive scanning means.
One of the things that I love the most about smap is that you can obtain the information from shodan.io without the need of an api key, and it is really fast compared to nmap. In addition, due to its passive scanning trait, you don’t actually perform any scan directly to the target and, instead, you obtain it from shodan.io which previously performed the scan to obtain that information.
In this guide, we’ll explore some of the key features and functions of smap, and provide examples of how it can be used in real-world scenarios. But, before diving into the specifics of smap, let’s start to install it since it’s not pre installed in any Linux distributions.
How to install smap
There are different ways to install smap but the easiest way to do so is through any pre-built binaries that can be found on the project’s repo. For this guide, I will download the version 0.1.12 but first check the versions available in: https://github.com/s0md3v/Smap/releases
Run the following command to download the package, the checksums and perform the integrity check to ensure that the file was not tampered:
$ wget -q https://github.com/s0md3v/Smap/releases/download/0.1.12/smap_0.1.12_linux_amd64.tar.xz
$ wget -q https://github.com/s0md3v/Smap/releases/download/0.1.12/smap_0.1.12--sha256_checksums.txt
$ grep $(sha256sum smap_0.1.12_linux_amd64.tar.xz | awk '{ print $1 }') smap_0.1.12--sha256_checksums.txt
If the last command throws an output similarly to the command above then everything is ok and it is safe to continue the installation.
Next, extract the .tar.xz file, copy it in /usr/local/bin path and verify the installation:
$ tar xf smap_0.1.12_linux_amd64.tar.xz
$ sudo cp smap_0.1.12_linux_amd64/smap /usr/local/bin
$ smap
How to use smap to scan
One of the most basic uses of smap is to scan a single target. For instance, to scan the domain ‘yahoo.com’, you can use the following command:
$ smap yahoo.com
Some of the nmap command options also works for smap like the -p option to obtain information of a set or port range from the target IP:
$ smap -p80,443,1024-5000 98.137.11.164
If you want to obtain more information from the open ports, you can add the option -sV like the nmap command:
$ smap -sV -p80,443,1024-5000 185.15.58.226
Besides, if you are interested in processing further the smap results, the option -o can be used to obtain the output in different well-known formats:
$ smap -sV -p80,443,1024-5000 -oG report.txt 185.15.58.226
$ cat report.txt
Finally, a list of IPs or IP ranges can be provided to smap with the -iL option:
$ echo "74.6.143.26" > ip-list.txt
$ echo "185.15.58.226" >> ip-list.txt
$ smap -sV -iL ip-list.txt
Automation idea for security operations center detection
An interesting use case of this tool is to implement a watch on the perimeter of your organization using smap. By running a scheduled script developed with your preferred programming language, you can obtain with smap the exposed ports from your public IPs, and compare it with previous versions of the smap report. If there are differences between new and old reports, the newly opened ports should be investigated, and look for any business justification for these ports being exposed to the internet. Otherwise, they should be investigated and then closed to avoid increasing the risk.
To summarize
As you can see, smap can be a great tool for cybersecurity professionals because it provides useful information from shodan.io really quickly without the need of scanning the target directly. A part of the automation use case explained briefly above, there could be other interesting usages so I would recommend you to give this tool a try and get familiar with it. Then the ideas will come to your mind for sure.