Host and service discovery

Once you are on a reachable subnet (after NAC bypass, VPN access,
or directly through an in-scope range), the first step is to find live hosts,
their open ports, and the services behind them. Our preferred tool for this on
internal engagements is SmartScanner.
It wraps host discovery, full and quick nmap-style port scans, service version
detection, HTTP screenshots, and a handful of protocol plugins (SMB, LDAP,
TLS, ...) behind an interactive shell, and can stream every finding into a
SysReptor project as structured notes.

SmartScanner

Where to find it

• Source & docs: https://github.com/Syslifters/smartscanner
• Local state (database, screenshots, Selenium cache): ~/.smartscanner/

How to start it

Clone the repository, install the Python dependencies (a virtualenv is
recommended), then launch the interactive shell:

git clone https://github.com/Syslifters/smartscanner.git
cd smartscanner
python -m smartscanner.main

You should land at the SmartScanner> prompt. The most useful commands at
that prompt are:

Command	Purpose
settings / set <key> <value>	Show or change a setting
add <CIDR>	Add a network range to the scope
resume / pause	Start or pause scanning
status, tasks, hosts, plugins	Inspect progress
ports <ip>	Show open ports for a host
rerun <plugin> [port_id]	Re-run a plugin (all hosts, or one port)
sync / sync full	Push changes to SysReptor manually
export {json,csv,xml} <file>	Export raw results

Adding nmap scripts

You can add nmap scripts by copying them to the respective scripts location:

• Windows: C:\Program Files (x86)\Nmap\scripts
• Linux: /usr/share/nmap/scripts

And update the script database afterwards: nmap nmap --script-updatedb. You might need to run this command as admin. Check out our additional nse-scripts repository.

SmartScanner will automatically pick up all scripts with the categories vuln, default, safe, discovery or auth.

Example: End-to-End Pentest Workflow with SysReptor

This is the typical engagement workflow. The SysReptor side is set up once,
then SmartScanner streams its findings into the project for you.

Step 1: Prepare the SysReptor project

In your SysReptor instance:

1. Create a new project for the engagement (or open an existing one).
2. Note the project ID from the URL: https://<sysreptor>/projects/<PROJECT_ID>/...
3. Create an API token: click your user, API Tokens, Create token, copy it
   (you'll only see it once).

The first sync will create a root note called Smartscanner in that
project, with Hosts > Hosts - Open Ports and Hosts > Hosts - No Open Ports as sub-notes. Each scanned host becomes its own note underneath,
titled by IP, with an emoji indicating scan progress (queued, scanning,
analysing, done).

Step 2: Configure SmartScanner

Start SmartScanner and set the SysReptor credentials:

SmartScanner> set reptor_server https://sysreptor.example.com
Setting 'reptor_server' set to 'https://sysreptor.example.com'

SmartScanner> set reptor_token sR_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Setting 'reptor_token' set to 'sR_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

SmartScanner> set reptor_project_id 8f3c2b1a-0d4e-4a1c-9b7e-6f9a2c1d3e4f
Setting 'reptor_project_id' set to '8f3c2b1a-0d4e-4a1c-9b7e-6f9a2c1d3e4f'

Verify with:

SmartScanner> settings

Step 3: Tune the scan for the engagement

For a typical internal pentest where you want to be quick but not too noisy:

SmartScanner> set scan_speed aggressive
SmartScanner> set max_parallel_tasks 6
SmartScanner> set max_parallel_plugins 4
SmartScanner> set nmap_min_rate 500
SmartScanner> set nmap_host_timeout 1800
SmartScanner> set nmap_script_timeout 120

If the network drops ICMP and you know hosts are alive anyway:

SmartScanner> set disable_ping true

This skips the basic ping/top-1000 sweep and goes directly to the full
-Pn -sS -sV -sC --script vuln,default,safe,discovery,auth -p- scan.

If you have domain credentials and want SMB share enumeration to be
authenticated:

SmartScanner> set smb_user pentest
SmartScanner> set smb_domain CORP
SmartScanner> set smb_password 'Sup3rSecret!'

Step 4: Enable live background sync (optional but recommended)

SmartScanner> set reptor_background_sync true
SmartScanner> set reptor_background_sync_threads 3

A control thread now wakes up every ~30s, picks up every host whose
version is greater than its synced_version, and pushes it to SysReptor
via 3 worker subprocesses. Screenshots are uploaded to SysReptor's file
store and embedded inline in the host note.

Note: any content you write outside of the
<!-- SMARTSCANNER_START:... --> / <!-- SMARTSCANNER_END:... -->
markers in a managed note is preserved across syncs. Anything inside the
markers will be overwritten on the next sync.

Step 5: Add the in-scope ranges and let it run

SmartScanner> add 10.10.0.0/16
Added network range: 10.10.0.0/16 (ID: 1)

SmartScanner> add 192.168.50.0/24
Added network range: 192.168.50.0/24 (ID: 2)

SmartScanner> resume
Scanning resumed

You can now leave it running. Use status, tasks, hosts, and plugins
to keep an eye on progress.

Step 6: Inspect results as they roll in

SmartScanner> hosts
=== Discovered Hosts ===
IP Address         Hostname                  Status         Ports
----------------------------------------------------------------------
10.10.4.17         dc01.corp.local           plugins_done   12
10.10.4.42         fileserver.corp.local     full_scan_done 5
...

SmartScanner> ports 10.10.4.17
=== Ports for 10.10.4.17 ===
Port     Protocol   Service         Version              State
---------------------------------------------------------------------------
53       tcp        domain          -                    open
88       tcp        kerberos-sec    -                    open
389      tcp        ldap            -                    open
445      tcp        microsoft-ds    -                    open
...

Step 7: Manual sync at the end (or any time)

Background sync runs continuously, but you can also force a sync:

SmartScanner> sync          # delta sync (only changed hosts)
SmartScanner> sync full     # full re-push of every host

Step 8: Export raw data for the appendix

SmartScanner> export json results.json
SmartScanner> export csv  results.csv
SmartScanner> export xml  results.xml   # nmap-compatible XML

More Examples

Stealthy external scan

SmartScanner> set scan_speed sneaky
SmartScanner> set nmap_min_rate 0
SmartScanner> set max_parallel_tasks 2
SmartScanner> set max_parallel_plugins 1
SmartScanner> add 198.51.100.0/24
SmartScanner> resume

-T1 plus a single scan worker keeps packet rates very low.

Fast lab sweep (you control the network)

SmartScanner> set scan_speed insane
SmartScanner> set nmap_min_rate 5000
SmartScanner> set max_parallel_tasks 16
SmartScanner> set max_parallel_plugins 8
SmartScanner> set disable_ping true
SmartScanner> add 172.16.0.0/22
SmartScanner> resume

Re-running a plugin after fixing its config

You configured SMB credentials after the SMB hosts were already scanned.
Re-run smb_info on everything:

SmartScanner> set smb_user pentest
SmartScanner> set smb_password 'Sup3rSecret!'
SmartScanner> rerun smb_info

Or re-run it for one specific port (look up the port ID with
plugins executions):

SmartScanner> rerun smb_info 42

Retrying everything that failed (e.g. a flaky link)

SmartScanner> tasks failed
SmartScanner> retry

Cleaning up before a new engagement

The database lives in ~/.smartscanner/. To start completely fresh:

rm -rf ~/.smartscanner

This deletes the database, screenshots, and the Selenium driver cache.