fscan
Fscan is a Go-based intranet reconnaissance and vulnerability scanning tool designed for automated penetration testing. It performs host discovery, port scanning, service identification, credential brute-forcing across 28+ services, and includes pre-built exploits for critical vulnerabilities like MS17-010 and Redis RCE.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | shadow1ng/fscan |
| Owner | shadow1ng |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 14.1k |
| Forks | 1.9k |
| Open issues | 20 |
| Latest release | v2.1.3 (2026-05-15) |
| Last updated | 2026-06-27 |
| Source | https://github.com/shadow1ng/fscan |
What fscan is
Go-compiled command-line scanner with pluggable architecture supporting ICMP/TCP probing, 20+ service fingerprints, 40+ Web signatures, SMB/SSH/RDP/FTP/database brute-force, POC-based Web vulnerability scanning (Xray/Afrog formats), and post-exploitation modules (credential harvesting, privilege persistence, reverse shells). Includes optional Web UI, SDK embedding, and conditional compilation via build tags.
Get the fscan source
Clone the repository and explore it locally.
git clone https://github.com/shadow1ng/fscan.gitcd fscan# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires explicit scoping: define target CIDR blocks, excluded hosts, and port ranges before execution to avoid unintended scanning and rate-limiting collateral damage.
- Built-in weak password dictionaries (100+) and brute-force against 28 services will trigger authentication logs and IDS alerts; coordinate with SOC/network team.
- Post-exploitation modules (minidump, registry export, SSH RCE) execute with local user privileges; do not run with elevated privileges unless intentional artifact collection is required.
- SDK embedding requires Go 1.20+; validate dependency versions (grdp, FingerprintHub integration) against your build environment before production deployment.
- Output files are appended, not rotated; implement external log rotation or capture stdout to avoid unbounded disk growth on large scans.
When to avoid it — and what to weigh
- Production/High-Availability Environments Without Explicit Authorization — Tool is designed for aggressive vulnerability scanning. Risk of port scanning DoS, credential brute-force lockouts, and exploitation attempts against live systems. Requires formal authorization before use.
- Compliance Requirement for Vendor Security Controls/SLA — Project is community-maintained open-source with no commercial support, SLA, or audit trails. Not suitable for environments requiring vendor accountability or formal security assessment reports.
- Scan Results Requiring Legal/Forensic Chain-of-Custody — No built-in audit logging, result verification, or tamper-evident mechanisms. Output formats (TXT/JSON) do not meet forensic standards for sensitive compliance reporting.
- Multi-Tenant or Sandboxed Execution — Includes local privilege escalation, credential harvesting, and shell modules. Not designed for isolation or untrusted operator sandboxing.
License & commercial use
Licensed under MIT (MIT License), a permissive open-source license. Permits commercial use, modification, and distribution provided original copyright and license text are retained.
MIT license explicitly allows commercial use without royalty or vendor permission. However, no commercial support, warranty, or liability protection is provided. Organizations using fscan commercially should: (1) obtain written authorization for all target environments, (2) maintain internal documentation of scan scope and consent, (3) implement organizational policies to prevent unauthorized use, and (4) consider legal review given the tool's offensive security nature (exploitation, credential brute-force, privilege escalation). Project author disclaims liability for non-authorized scanning.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool performs offensive scanning and exploitation against target systems. Key considerations: (1) Weak password dictionaries and brute-force can lock accounts; (2) Exploitation modules (MS17-010, Redis RCE, SSH key injection) execute code on targets—code review of POC payloads recommended before use; (3) Post-exploitation modules collect credentials and system data; ensure results are stored securely; (4) No built-in encryption of output files or credentials; operators responsible for protecting scan results. (5) Fingerprint matching uses string-based patterns with high false-positive risk in production environments. (6) SOCKS5 proxy credentials stored in CLI arguments or environment—no secrets manager integration.
Alternatives to consider
Nmap + Metasploit/Burp Suite
Industry-standard, widely supported, formal vendor backing (Rapid7). Slower workflow but better documentation and compliance audit trails. Overkill for simple intranet scans.
ZMap / Masscan (Port Scanning) + Custom Scripts
Higher-performance, stateless scanning for large networks. Requires manual service identification and exploitation orchestration. Lower-level, more control, steeper learning curve.
Qualys VMDR / Rapid7 InsightVM / Tenable Nessus
Commercial SaaS/on-premise platforms with compliance reporting, multi-tenancy, formal support, and audit trails. Higher cost, slower to deploy, slower scans but suitable for regulated environments.
Build on fscan with DEV.co software developers
If you are running authorized penetration tests or internal security audits on isolated networks, request a security assessment of the tool, define scanning policies, and obtain formal authorization before deployment. For regulated environments, compare against commercial alternatives (Nessus, Qualys, InsightVM) that provide compliance reporting and vendor support.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
fscan FAQ
Can I use fscan on production systems without downtime risk?
Does fscan support scanning external Internet targets?
How do I integrate fscan results into my SIEM or ticketing system?
Is the Web UI production-ready?
Custom software development services
Need help beyond evaluating fscan? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Evaluate Fscan for Your Security Testing Program
If you are running authorized penetration tests or internal security audits on isolated networks, request a security assessment of the tool, define scanning policies, and obtain formal authorization before deployment. For regulated environments, compare against commercial alternatives (Nessus, Qualys, InsightVM) that provide compliance reporting and vendor support.