Fast TLS/SNI scanner. Finds IPs that accept a TLS handshake with a specific SNI hostname.
Download the binary for your platform from Releases.
| File | Platform |
|---|---|
scanner-linux-amd64 |
Linux x64 |
scanner-linux-arm64 |
Linux ARM |
scanner-macos-amd64 |
macOS Intel |
scanner-macos-arm64 |
macOS Apple Silicon |
scanner-windows-amd64.exe |
Windows x64 |
scanner [flags] <target>Target can be a single IP, CIDR range, or a file with one entry per line.
# Single IP
scanner 11.11.11.11
# Subnet
scanner 11.11.11.0/24
# Large range (auto-scales workers)
scanner 11.11.11.0/16
# IPv6
scanner 2600:9000:5206::/48
# File with multiple CIDRs
scanner ip.txt| Flag | Default | Description |
|---|---|---|
--workers |
auto | Goroutines for scheduling |
--connections |
500 | Max simultaneous TCP sockets — lower if getting 0 results on large scans |
--timeout |
4s | Per-connection deadline — increase if missing borderline hosts |
--sni |
built-in | TLS SNI hostname to test |
--port |
443 | Target TCP port |
--output |
results.txt | File to append results (live, survives Ctrl+C) |
--version |
Print version and exit |
Results are printed live and appended to results.txt:
✓ 11.11.11.11 TLS-OK
~ 11.11.11.12 TCP-OK / TLS-FAIL: remote error: tls: handshake failure
✓ TLS-OK— full handshake succeeded with the target SNI~ TCP-OK / TLS-FAIL— TCP connected but TLS was rejected
- If a large scan (
/16) finds 0 results but a small scan (/24) finds some, lower--connections:scanner 11.11.0.0/16 --connections 300
- If a host shows up in small scans but not large ones, it's a slow responder — increase
--timeout:scanner 11.11.0.0/16 --timeout 8s
- Press
Ctrl+Cto stop — results found so far are already saved.