DEV.co
Open-Source Security · shadow1ng

fscan

Fscan is a Go-based intranet reconnaissance and vulnerability scanning tool designed for automated penetration testing. It performs host discovery, port scanning, service identification, credential brute-forcing across 28+ services, and includes pre-built exploits for critical vulnerabilities like MS17-010 and Redis RCE.

Source: GitHub — github.com/shadow1ng/fscan
14.1k
GitHub stars
1.9k
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryshadow1ng/fscan
Ownershadow1ng
Primary languageGo
LicenseMIT — OSI-approved
Stars14.1k
Forks1.9k
Open issues20
Latest releasev2.1.3 (2026-05-15)
Last updated2026-06-27
Sourcehttps://github.com/shadow1ng/fscan

What fscan is

Go-compiled command-line scanner with pluggable architecture supporting ICMP/TCP probing, 20+ service fingerprints, 40+ Web signatures, SMB/SSH/RDP/FTP/database brute-force, POC-based Web vulnerability scanning (Xray/Afrog formats), and post-exploitation modules (credential harvesting, privilege persistence, reverse shells). Includes optional Web UI, SDK embedding, and conditional compilation via build tags.

Quickstart

Get the fscan source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/shadow1ng/fscan.gitcd fscan# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Internal Network Penetration Testing & Audits

Automated discovery and exploitation of common weak credentials, unpatched services (MS17-010, SMBGhost), and misconfigured databases (Redis/MongoDB/Elasticsearch). One-command scan of class B/C networks with results in TXT/JSON/CSV.

Red Team Infrastructure Assessment

Rapid identification of exploitable services, credential stuffing across SSH/RDP/FTP/MySQL/MSSQL, and automated execution of public POCs. Supports proxy routing and SOCKS5 for lateralization scenarios.

Security Platform Integration via SDK

Go SDK (`pkg/fscan`) enables embedding in agents, centralized security platforms, or custom automation. Supports task control (pause/resume), real-time progress callbacks, and TaskID tracking for distributed scanning.

Implementation considerations

  • Requires explicit scoping: define target CIDR blocks, excluded hosts, and port ranges before execution to avoid unintended scanning and rate-limiting collateral damage.
  • Built-in weak password dictionaries (100+) and brute-force against 28 services will trigger authentication logs and IDS alerts; coordinate with SOC/network team.
  • Post-exploitation modules (minidump, registry export, SSH RCE) execute with local user privileges; do not run with elevated privileges unless intentional artifact collection is required.
  • SDK embedding requires Go 1.20+; validate dependency versions (grdp, FingerprintHub integration) against your build environment before production deployment.
  • Output files are appended, not rotated; implement external log rotation or capture stdout to avoid unbounded disk growth on large scans.

When to avoid it — and what to weigh

  • Production/High-Availability Environments Without Explicit Authorization — Tool is designed for aggressive vulnerability scanning. Risk of port scanning DoS, credential brute-force lockouts, and exploitation attempts against live systems. Requires formal authorization before use.
  • Compliance Requirement for Vendor Security Controls/SLA — Project is community-maintained open-source with no commercial support, SLA, or audit trails. Not suitable for environments requiring vendor accountability or formal security assessment reports.
  • Scan Results Requiring Legal/Forensic Chain-of-Custody — No built-in audit logging, result verification, or tamper-evident mechanisms. Output formats (TXT/JSON) do not meet forensic standards for sensitive compliance reporting.
  • Multi-Tenant or Sandboxed Execution — Includes local privilege escalation, credential harvesting, and shell modules. Not designed for isolation or untrusted operator sandboxing.

License & commercial use

Licensed under MIT (MIT License), a permissive open-source license. Permits commercial use, modification, and distribution provided original copyright and license text are retained.

MIT license explicitly allows commercial use without royalty or vendor permission. However, no commercial support, warranty, or liability protection is provided. Organizations using fscan commercially should: (1) obtain written authorization for all target environments, (2) maintain internal documentation of scan scope and consent, (3) implement organizational policies to prevent unauthorized use, and (4) consider legal review given the tool's offensive security nature (exploitation, credential brute-force, privilege escalation). Project author disclaims liability for non-authorized scanning.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool performs offensive scanning and exploitation against target systems. Key considerations: (1) Weak password dictionaries and brute-force can lock accounts; (2) Exploitation modules (MS17-010, Redis RCE, SSH key injection) execute code on targets—code review of POC payloads recommended before use; (3) Post-exploitation modules collect credentials and system data; ensure results are stored securely; (4) No built-in encryption of output files or credentials; operators responsible for protecting scan results. (5) Fingerprint matching uses string-based patterns with high false-positive risk in production environments. (6) SOCKS5 proxy credentials stored in CLI arguments or environment—no secrets manager integration.

Alternatives to consider

Nmap + Metasploit/Burp Suite

Industry-standard, widely supported, formal vendor backing (Rapid7). Slower workflow but better documentation and compliance audit trails. Overkill for simple intranet scans.

ZMap / Masscan (Port Scanning) + Custom Scripts

Higher-performance, stateless scanning for large networks. Requires manual service identification and exploitation orchestration. Lower-level, more control, steeper learning curve.

Qualys VMDR / Rapid7 InsightVM / Tenable Nessus

Commercial SaaS/on-premise platforms with compliance reporting, multi-tenancy, formal support, and audit trails. Higher cost, slower to deploy, slower scans but suitable for regulated environments.

Software development agency

Build on fscan with DEV.co software developers

If you are running authorized penetration tests or internal security audits on isolated networks, request a security assessment of the tool, define scanning policies, and obtain formal authorization before deployment. For regulated environments, compare against commercial alternatives (Nessus, Qualys, InsightVM) that provide compliance reporting and vendor support.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

fscan FAQ

Can I use fscan on production systems without downtime risk?
Not recommended. Fscan performs aggressive probing, credential brute-force, and exploitation. It can trigger IDS/rate-limiting, lock user accounts, and execute code on targets. Use only in authorized testing windows with explicit stakeholder coordination.
Does fscan support scanning external Internet targets?
Functionally yes, but ethically and legally no. Tool is designed for intranet/internal testing. External scanning without explicit written authorization violates computer fraud laws in most jurisdictions. Author disclaimer explicitly states non-authorized use not permitted.
How do I integrate fscan results into my SIEM or ticketing system?
fscan outputs JSON/CSV/TXT; parse and forward via custom scripts. SDK (`pkg/fscan`) provides programmatic task control and progress callbacks, enabling custom integration. No native integrations with Splunk, ELK, or Jira documented.
Is the Web UI production-ready?
Unknown. Web UI is optional (compile with `-tags web`), recent addition (v2.1.0 changelog), and no security assessment or hardening mentioned. Intended for internal lab/testing use; not recommended for exposed deployments.

Custom software development services

Need help beyond evaluating fscan? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Evaluate Fscan for Your Security Testing Program

If you are running authorized penetration tests or internal security audits on isolated networks, request a security assessment of the tool, define scanning policies, and obtain formal authorization before deployment. For regulated environments, compare against commercial alternatives (Nessus, Qualys, InsightVM) that provide compliance reporting and vendor support.