A fast, modern network port and service fingerprinting tool written in Rust.
Specter is a next-generation security scanner that goes beyond simple port detection. It identifies services, versions, and known vulnerabilities with high confidence using advanced fingerprinting techniques.
- Fast async port scanning - Scan thousands of ports in seconds
- Multi-protocol probing - HTTP, HTTPS (TLS), SSH, FTP, SMTP
- Service fingerprinting - Identify services with confidence scoring
- CVE detection - Match services against known vulnerabilities
- Beautiful output - Colored terminal output with progress bars
- JSON export - Machine-readable output for automation/CI/CD
- Profile presets - Quick scan profiles for common scenarios
git clone https://github.com/xkillx/specter.git
cd specter
cargo build --releaseThe binary will be available at target/release/specter.
cargo install specterBasic port scan:
specter scan example.com --ports 1-1000Full service fingerprinting:
specter scan example.com --ports 1-1000 --probes --features --fingerprintJSON output for automation:
specter scan example.com --json --probes --features --fingerprintspecter scan <TARGET> [OPTIONS]| Option | Description | Default |
|---|---|---|
--ports <RANGE> |
Port range (e.g., 1-1000, 80,443,8080) | 1-1000 |
-c, --concurrency <N> |
Concurrent connections | 100 |
-t, --timeout <MS> |
Timeout per port (ms) | 1000 |
--probes |
Enable protocol probing | false |
--probe-timeout <MS> |
Probe timeout (ms) | 2000 |
--features |
Enable feature extraction | false |
--fingerprint |
Enable fingerprint matching | false |
--min-confidence <N> |
Minimum confidence (0.0-1.0) | 0.5 |
--fingerprint-db <PATH> |
Fingerprint database path | fingerprints.yaml |
--json |
Output as JSON | false |
--json-compact |
Compact JSON output | false |
--json-output <FILE> |
Write JSON to file | - |
--profile <PROFILE> |
Use scan preset (fast/full/stealth) | - |
-v, --verbose |
Verbose mode (can be used multiple times) | - |
-q, --quiet |
Quiet mode (minimal output) | - |
--no-color |
Disable colored output | - |
--config <PATH> |
Config file path | - |
-h, --help |
Print help | - |
-V, --version |
Print version | - |
- Single port:
--ports 80 - Range:
--ports 1-1000 - Multiple:
--ports 80,443,8080 - Mixed:
--ports 1-100,443,8080-9000
| Profile | Description | Ports | Concurrency | Timeout |
|---|---|---|---|---|
fast |
Quick scan of common ports | 22,80,443,8080 | 200 | 500ms |
full |
Deep scan with all features | 1-65535 | 100 | 1000ms |
stealth |
Slow scan to avoid detection | 1-1000 | 10 | 3000ms |
Example:
specter scan example.com --profile fastββββββββββββββββββββββββββββββββββββ Specter Scanner ββββββββββββββββββββββββββββββββββββ
Target: example.com
Scanning 1000 ports...
β Port 22 is open
β Port 80 is open
β Port 443 is open
βββββββββββββββββββββββββββββββββββββββββββββββ
β Port 443/TCP ββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β Service: nginx 1.18.0 β
β Confidence: 94% ββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β Evidence: β
β β [nginx_http_server] (weight: 0.9) β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β β Known CVEs: β
β β’ CVE-2021-23017 β
βββββββββββββββββββββββββββββββββββββββββββββββ
Summary:
Ports scanned: 1000
Open ports: 3
Services identified: 3
Total time: 2.31s
Throughput: 432 ports/sec
{
"target": {
"host": "example.com",
"ip": "93.184.216.34",
"scan_time": "2026-02-06T10:30:00Z",
"scan_duration_ms": 2310,
"ports_scanned": 1000,
"open_ports": 3
},
"results": {
"443": {
"port": 443,
"status": "open",
"protocol": "tcp",
"service_detection": {
"service": "nginx",
"version": "1.18.0",
"confidence": 0.94,
"matched_rules": ["nginx_http_server"]
},
"features": {
"http": {
"server": "nginx/1.18.0",
"status_code": 200
},
"tls": {
"version": "TLSv1.3",
"cipher_suite": "TLS_AES_256_GCM_SHA384"
}
},
"vulnerabilities": [
{
"cve_id": "CVE-2021-23017",
"severity": "HIGH"
}
]
}
},
"summary": {
"services_detected": ["nginx", "openssh"],
"total_cves": 1,
"high_severity_cves": 1
}
}Specter supports configuration files in YAML format. Config files are loaded from:
$XDG_CONFIG_HOME/specter/specter.yaml~/.config/specter/specter.yaml./specter.yaml
# specter.yaml
# Default scan options
defaults:
ports: "1-1000"
concurrency: 100
timeout: 1000
probe-timeout: 3000
# Output preferences
output:
format: "pretty" # pretty, json, compact
show-features: true
show-cves: true
# Fingerprinting
fingerprinting:
enabled: true
min-confidence: 0.5
database: "fingerprints.yaml"
# Colors
colors:
enabled: trueSpecter uses a YAML-based fingerprint database to identify services. The database includes rules for:
- Web servers (nginx, Apache, IIS, Cloudflare)
- SSH servers (OpenSSH, Dropbear)
- FTP servers (vsftpd, ProFTPD)
- SMTP servers (Postfix, Sendmail)
- And more...
You can extend the fingerprint database by adding custom rules to fingerprints.yaml:
rules:
- id: my_custom_service
service: MyCustomService
description: "My custom service detection"
protocol: HTTP
weight: 0.9
conditions:
http:
server_pattern: "MyCustomService.*"
header_patterns:
x-custom-header: ".*"| Field | Type | Description |
|---|---|---|
id |
string | Unique rule identifier |
service |
string | Service name |
description |
string | Rule description |
protocol |
string | Protocol (HTTP, TLS, SSH, FTP, SMTP) |
weight |
float | Confidence weight (0.0-1.0) |
conditions |
object | Matching conditions |
min_matches |
int | Minimum condition matches required |
Higher concurrency = faster scans, but more resource usage:
# Fast scan (may trigger IDS/IPS)
specter scan example.com --concurrency 500
# Normal scan
specter scan example.com --concurrency 100
# Slow/stealth scan
specter scan example.com --concurrency 10Adjust timeouts based on network conditions:
# Fast network
specter scan example.com --timeout 500 --probe-timeout 1000
# Slow/unreliable network
specter scan example.com --timeout 3000 --probe-timeout 10000specter scan example.com --profile fastspecter scan example.com --ports 1-65535 --probes --features --fingerprintspecter scan example.com --json --json-output results.json --probes --featuresspecter scan example.com --quiet --probes --fingerprintspecter scan example.com --vv --probes#!/bin/bash
# Exit on CVE detection
specter scan example.com --json --probes --fingerprint | \
jq '.summary.total_cves' | \
if grep -q "[1-9]"; then
echo "Vulnerabilities found!"
exit 1
fi| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | DNS resolution failed |
| 3 | Connection failed |
| 4 | Invalid input/configuration |
| 5 | File I/O error |
| 6 | Database error |
- Increase timeout:
--timeout 3000 - Check network connectivity:
ping example.com - Try nmap for comparison:
nmap -p 1-1000 example.com
- Lower confidence threshold:
--min-confidence 0.3 - Enable verbose mode:
--verboseto see features - Check fingerprint database:
--fingerprint-db
- Increase concurrency:
--concurrency 200 - Use fast profile:
--profile fast - Scan fewer ports:
--ports 1-100
- Increase timeout:
--timeout 5000 - Check firewall rules
- Verify target is reachable
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Submit a pull request
# Clone the repo
git clone https://github.com/xkillx/specter.git
cd specter
# Run tests
cargo test
# Run with debug output
cargo run -- scan example.com --vv --probes
# Build release
cargo build --releaseMIT License - see LICENSE for details.
- Inspired by nmap, masscan, and zmap
- Built with Rust and the Tokio async runtime
- Uses clap for CLI parsing and indicatif for progress bars
This tool is for educational and authorized security testing purposes only. Unauthorized scanning of networks you do not own or have permission to test is illegal. Use responsibly.