loading
loading
Discovery
Runs port scans through public websites that scan a target on your behalf.
overview
scanless finds open ports on a target by asking public port-scan websites to run the scan for you, so the probe traffic originates from that third-party service rather than your own host. It wraps several free scanners, including HackerTarget, ipfingerprints, spiderip, standingtech, t1shopper, viewdns, and yougetsignal, behind one command-line interface and library.
The appeal is indirection. When you want a port reading on an IP or domain without sending packets from your infrastructure, scanless routes the request through a website that does the scanning. Point it at one service with --scanner, pick one at random with --random, or run them all with --all and compare. Coverage and reliability depend on whichever third-party site answers.
On Trickest, scanless is a Discovery node that takes a target IP or domain and writes a file and a folder of results. Use it for a low-footprint, no-direct-traffic port check early in recon, then confirm anything interesting with a direct scanner like nmap or rustscan.
source github.com/vesche/scanless
use cases
Route the scan through a public website so the probe comes from that service, keeping your own infrastructure off the target's logs.
Run every service with --all and compare their port readings, since each third-party scanner sees the target slightly differently.
Choose a specific service with --scanner or spread requests across the pool with --random when one site is rate-limiting or down.
Get an early open-port reading on an IP or domain before committing to a direct, higher-footprint scan with another tool.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | --target | IP or domain to scan. |
| scanner | STRING | --scanner | Scanner to use (default: hackertarget). |
| all | BOOLEAN | --all | Use all the scanners. |
| random | BOOLEAN | --random | Use a random scanner. |
Showing key inputs. scanless exposes 4 inputs in total.
example
# route a port scan through the default service (HackerTarget)scanless --target example.com --scanner hackertargetStarting Nmap 7.94 ( https://nmap.org ) at 2026-06-22 14:03 UTCNmap scan report for example.com (203.0.113.34)Host is up (0.052s latency).Not shown: 995 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http443/tcp open https3306/tcp open mysql8080/tcp open http-proxyguidance
Reach for scanless when you want a port reading without sending packets from your own host, accepting that coverage depends on third-party sites. For full control, speed, and depth, use a direct scanner like rustscan or nmap instead.
Fast direct port scanner when you can send traffic from your own infrastructure.
Deep direct scanner with service detection and scripting, the opposite of an indirect read.
Fast Go port scanner for direct, controllable discovery.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A target feeds scanless, which routes the port scan through public websites and writes the reported open ports as a queryable output.
Facts on this page come from the live Trickest tool library.