Free Download

Sherlock Forensics Port Scanner Network Security Assessment Tool

Free TCP port scanner with service detection and attack surface mapping. Built by CISSP, ISSAP and ISSMP certified security professionals. SHA256 verified.

Sherlock Forensics Port Scanner is a free Windows desktop application for TCP port scanning and service detection. It identifies open ports, grabs service banners and maps the attack surface of target hosts. Designed for penetration testers, compliance auditors and system administrators who need a lightweight GUI scanner without command-line complexity.

Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.

Quick Answer

Which Port Scanner Do You Need?

Your scenarioBest toolWhy
Penetration test on Linux/macOS with CLI scriptingNmap (free, CLI)Industry-standard, scriptable, NSE plugins
Network reconnaissance with stealth + IDS evasionNmap with -T0 -f flagsDecade-honed evasion techniques
Quick port enumeration on Windows without installerSherlock Forensics Port Scanner (Free)No install Windows port scanner, no admin, no PATH config
Network audit with audit-trail + forensic-grade outputSherlock Forensics Port Scanner (Free)Ed25519-signed output, court-ready forensic port scan log
IT admin doing quick "is service up" checksSherlock Forensics Port Scanner (Free)GUI port scanner, no CLI flag memorization
Vulnerability scanning (CVE matching, exploit detection)Nessus / OpenVAS / QualysSherlock and Nmap are port scanners, not vulnerability scanners

Download Free Port Scanner   Start scanning in 60 seconds. No install required. The Nmap alternative for Windows IT admins.

Overview

What Sherlock Forensics Port Scanner Does

Sherlock Forensics Port Scanner performs TCP connect scans against target hosts to identify open ports and running services. It operates without WinPcap or Npcap dependencies and requires no elevated privileges. The tool scans individual hosts or CIDR ranges and exports results to CSV for integration with vulnerability management workflows.

Every scan produces a timestamped record of open ports with service identification derived from banner grabbing. This data feeds directly into penetration test documentation, compliance audit reports and network inventory assessments.

Core Features

TCP Connect Scanning
Full TCP handshake scanning on any port range from 1 to 65535. No raw socket requirements. Works without admin privileges on standard Windows installations.
Service Banner Grabbing
Identifies software and version strings on open ports. Detects web servers, SSH daemons, FTP services, database listeners and other common network services.
Custom Port Ranges
Scan the top 1000 ports by default or specify custom ranges. Target individual ports, comma-separated lists or continuous ranges for focused assessments.
CIDR Range Support
Scan entire subnets using CIDR notation. Useful for network inventory and identifying unauthorized services across a network segment.
CSV Export
Export scan results with timestamp, target host, port number, protocol, state and service identification. Import directly into spreadsheets or reporting tools.
SHA256 Verification
Published SHA256 hash for download integrity verification. Confirm the installer has not been tampered with before execution.

Use Cases

Who Uses Sherlock Forensics Port Scanner

Penetration Test Recon

Security consultants use Sherlock Forensics Port Scanner during the reconnaissance phase of penetration testing engagements. Identify open ports and running services before launching targeted vulnerability assessments. Export results for inclusion in forensic investigation documentation.

Compliance Audits

Verify that only authorized services are exposed on production networks. Document open ports for PCI-DSS, HIPAA and SOC 2 compliance audits. CSV exports provide timestamped evidence for audit trails and regulatory submissions.

Sysadmin Troubleshooting

Diagnose connectivity issues by confirming whether services are listening on expected ports. Identify rogue services or misconfigured firewalls. Scan after patching to verify that unnecessary services have been properly disabled.

Compare

Sherlock Forensics Port Scanner vs Nmap: The Friendly Nmap Alternative

FeatureSherlock Forensics Port ScannerNmap
InterfaceNative Windows GUICommand line (Zenmap GUI separate)
InstallationSingle .exe, no dependenciesRequires Npcap/WinPcap driver
Admin privilegesNot requiredRequired for SYN scans
TCP connect scanYesYes
SYN/stealth scanNoYes
Service detectionBanner grabbingAdvanced probes
NSE scriptingNoYes
OS fingerprintingNoYes
CSV exportYesXML/grep output
Learning curveMinimalSignificant
PriceFreeFree (open source)

Different Tools for Different Needs

Nmap is the industry standard for network reconnaissance with unmatched depth in scripting and OS fingerprinting. Sherlock Forensics Port Scanner is not a Nmap replacement for the red-team or pen-test workflow. As a Nmap alternative for the Windows IT-admin and blue-team workflow it fills a different role: a lightweight Windows port scanner GUI for quick assessments without command-line syntax, Npcap driver installations or admin privileges. The Nmap alternative argument: use Nmap when you need NSE scripting, SYN scans or stealth network reconnaissance. Use Sherlock as the friendly Nmap alternative for fast visual scans during forensic field triage, compliance audit checks, IT troubleshooting and any case where the buyer needs a GUI port scanner without paying the Nmap learning-curve tax.

Two practical Nmap alternative considerations: the EDR triggering profile and the audit trail. A standard Nmap fingerprint is detected by every modern EDR, which forces external pen-testers into evasion mode. Sherlock looks like a generic Windows port scanner network tool and does not trip the same EDR signatures. For audit-trail work, Nmap produces grepable output but no built-in cryptographic hash chain; Sherlock writes an Ed25519-signed scan log that drops into court-ready forensic port scan reporting. As a Nmap alternative for the forensic + audit-grade end of the buyer market, this is the practical differentiator. See our USB Blocker Pro for the parallel forensic field triage tooling and our Email Analyzer for the incident-response cross-product mesh.

Scan Mechanics

TCP Port Scanning and Service Banner Grabbing

Sherlock Forensics Port Scanner runs TCP connect scanning with service banner grabbing on every identified open port. The connect scan completes the three-way handshake (SYN, SYN-ACK, ACK) using normal Windows socket APIs, which means no raw-socket admin privileges, no Npcap driver and no EDR-fingerprint risk. UDP port scanning is not supported in v0.1.7. For UDP work use Nmap with appropriate privileges.

TCP Connect Scan

TCP connect scanning uses the three-way handshake to determine port state. A successful handshake means the port is open and a service is listening. The connect scan is reliable and visible in target-side connection logs, which is the auditable behavior the forensic port scan use case wants. Nmap also supports SYN scanning (half-open, harder to detect in connection logs) which requires raw socket access and admin privileges. Sherlock does not offer SYN scanning by design. For an internal IT-admin compliance TCP port scan or forensic port scan use case, the standard connect-scan approach is sufficient and avoids the EDR fingerprint risk.

Service Banner Grabbing

Once a port is found open, service banner grabbing identifies what is actually running. Sherlock performs a passive 256-byte read on each open port with an 800ms timeout. The banner and detected version string appear in the CSV output BANNER and VERSION columns for forensic-record completeness. Common service detection results: SSH-2.0-OpenSSH version strings, HTTP Server headers, FTP welcome banners, SMTP greetings, DNS server identification strings. Service detection at this layer feeds the network reconnaissance documentation that downstream IT admin and forensic port scan work needs.

Ed25519-Signed CSV Output

Every CSV export ships with a verifiable sidecar at <csv>.sig.json containing the SHA-256 of the CSV bytes, the ed25519 signature, the per-installation public key and a UTC timestamp. The sidecar is verifiable with any standard ed25519 verifier. This is the load-bearing forensic-credibility differentiator versus Nmap's grepable text output.

When GUI Wins

When Sherlock Port Scanner Beats CLI Tools for Forensic Work

Nmap and other CLI tools dominate the offensive-security port-scanner workflow. For the defensive and forensic workflow the GUI port scanner story is different. Four scenarios where Sherlock as a GUI port scanner beats Nmap and other CLI port scanner tools:

Forensic Field Triage

On-scene forensic port scan work demands chain of custody on the scan output. Sherlock's Ed25519-signed scan log captures every port scanned, every response, every timestamp, with a cryptographic hash chain that holds up in court. A CLI Nmap output stays grepable text without built-in tamper-evident structure; producing the same forensic port scan documentation from Nmap requires wrapping it in custom tooling. Sherlock ships the forensic port scan output natively.

No-Install Windows Port Scanner

Locked-down corporate Windows endpoints typically deny Npcap driver installation and reject admin-required network tools. Sherlock runs as a single signed .exe with no install Windows port scanner deployment. The no install port scanner footprint is what makes this practical at scale. The IT-admin can scan from a user-mode desktop session without privilege escalation. This makes Sherlock the practical no install port scanner choice for compliance audits, vendor-network triage and incident response where admin credentials are not available.

EDR-Friendly Network Reconnaissance

Modern EDR signatures detect Nmap-style network reconnaissance via fingerprint heuristics on packet timing, probe payloads and CLI process names. Sherlock looks like a generic Windows port scanner network tool from the EDR perspective and does not trigger the same fingerprint. For internal-blue-team network reconnaissance work that should not generate noisy alerts in the SOC's EDR console, the GUI port scanner avoids the operational friction.

Court-Ready Forensic Port Scan Reporting

For evidentiary forensic port scan work, the report format matters. Sherlock's forensic PDF output combines the scan parameters, every probe result, the Ed25519 signature chain and an examiner attestation block. The court-ready forensic port scan report drops into evidence packets and survives cross-examination on integrity. CLI Nmap output is convertible to PDF with custom tooling but the format is not court-tuned out of the box. For background on the parallel mid-market vs enterprise positioning in adjacent categories see our Cellebrite vs Magnet AXIOM 2026 comparison and the Disk Imager for the cross-product forensic field triage kit.

Download

Get Sherlock Forensics Port Scanner

Version 0.1.7 for Windows 10/11 (64-bit). Single executable, no installation dependencies.

File
sherlock-port-scanner.exe
SHA256
a89ce451f276f06b9621aff3b40e1a3920d0b52a0cd931ea62bfd4f939963505
Version
0.1.7
Platform
Windows 10/11 (64-bit), Linux x64

Release History

Port Scanner Release Notes

v0.1.7 (2026-06-11)

  • Ed25519-signed CSV export with verifiable sidecar at <csv>.sig.json. Per-installation ed25519 keypair. Sidecar carries SHA-256 of the CSV bytes and the ed25519 signature, public key and UTC timestamp
  • Service banner grabbing on open ports. Passive 256-byte read with 800ms timeout. BANNER and VERSION columns added to CSV output
  • EV code-signed binary (Sherlock Forensics Ltd, SSL.com EV intermediate). SHA-256: a89ce451f276f06b9621aff3b40e1a3920d0b52a0cd931ea62bfd4f939963505. TSA countersignature present, chains to 2034. Commit reference cfbde37
  • Internal versions 0.1.5 and 0.1.6 not released (scope-stabilization)

v0.1.4 (2026-04-18)

  • Initial public release. TCP connect scanning with CSV export, custom port ranges and CIDR support

SHA-256: 36db84afc920fba4df0a91493e22f54b47e4cd10d4d3fcc7fff7dec08717417c

Questions

Port Scanner FAQ

Is Sherlock Forensics Port Scanner free?
Yes. Sherlock Forensics Port Scanner is completely free with no trial period, no feature restrictions and no expiry. Download, install and scan with no limitations.
How does Sherlock Forensics Port Scanner compare to Nmap?
Nmap is the industry standard command-line scanner with extensive scripting capabilities. Sherlock Forensics Port Scanner provides a lightweight GUI alternative that requires no installation complexity, no command-line knowledge and no WinPcap/Npcap dependencies. It is designed for quick assessments rather than advanced scripting.
Is port scanning legal?
Port scanning systems you own or have written authorization to test is legal in most jurisdictions. Scanning systems without authorization may violate computer fraud laws including the CFAA in the United States and the Criminal Code in Canada. Always obtain written permission before scanning any network you do not own.
What ports does Sherlock Forensics Port Scanner check?
By default Sherlock Forensics Port Scanner checks the top 1000 TCP ports as defined by service frequency data. You can also specify custom port ranges or scan all 65535 TCP ports for a comprehensive assessment.
Does it detect running services?
Yes. Sherlock Forensics Port Scanner performs service banner grabbing on open ports to identify the software and version running on each port. This includes web servers, SSH, FTP, database servers and other common network services.
Can I export scan results?
Yes. Scan results can be exported to CSV format for import into spreadsheets, vulnerability management tools or forensic reports. Each export includes timestamp, target host, port number, protocol, state and service identification.
Does it require admin privileges?
No. Sherlock Forensics Port Scanner uses standard TCP connect scanning which does not require elevated privileges, WinPcap or Npcap. It runs as a normal user application on Windows 10 and Windows 11.
Does Sherlock Forensics Port Scanner work on Linux?
Yes. Sherlock Forensics Port Scanner is available as a native Linux x64 binary. Download the .tar.gz archive, extract and run. Requires libgtk-3, libfontconfig1 and libxkbcommon.
Is Sherlock Port Scanner an Nmap alternative?
Yes, for the Windows IT-admin, blue-team and forensic field triage buyer. As a Nmap alternative for these buyers Sherlock wins on three vectors: GUI port scanner ergonomics versus Nmap CLI flag memorization, no install Windows port scanner deployment versus Nmap Npcap driver requirements and Ed25519-signed forensic port scan output versus Nmap's grepable-text. For penetration testing, SYN scans, NSE scripting and stealth network reconnaissance, Nmap stays the right tool. The Nmap alternative argument is a workflow-fit decision, not a feature-for-feature replacement.
Is Sherlock Port Scanner a vulnerability scanner?
No. Sherlock Port Scanner is a port scanner with service detection. It identifies open ports and the services listening on them but does not match findings against CVE databases or attempt exploitation. For vulnerability scanning (CVE matching, exploit detection, security configuration assessment) use Nessus, OpenVAS or Qualys. Sherlock and Nmap both fit the port scanner category; vulnerability scanners are an adjacent product category.
Why doesn't Sherlock Port Scanner trigger EDR like Nmap does?
Modern EDR signatures detect Nmap via fingerprint heuristics on packet timing, probe payloads and the Nmap CLI process name. Sherlock looks like a generic Windows port scanner network tool from the EDR perspective and does not trigger the same signatures. For internal blue-team network reconnaissance work where the goal is forensic field triage rather than red-team simulation, EDR-friendly scanning behavior is preferred. As a Nmap alternative for this defensive-side workflow Sherlock avoids the operational friction of Nmap fingerprint detection in the SOC's EDR console.
Can I use Sherlock Port Scanner for penetration testing?
For reconnaissance phase work in an internal-blue-team or compliance-audit pen test, yes. Sherlock handles the port scanner + service detection inventory step cleanly. For external red-team penetration testing requiring stealth network reconnaissance, IDS evasion, SYN scanning, NSE script-based vulnerability probing or OS fingerprinting, Nmap stays the right tool. Sherlock as a Nmap alternative covers the defensive-side network reconnaissance use cases; for offensive-side work the Nmap CLI feature set is unmatched.
What's the difference between TCP connect scan and SYN scan?
TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK) and uses normal Windows socket APIs. The connection appears in target-side application logs. SYN scan (half-open scan) sends only the SYN, observes the SYN-ACK response and never completes the handshake. SYN scan is harder to detect in connection logs but requires raw socket access and admin privileges, which is the EDR-triggering path. Sherlock supports TCP connect scan only by design; for SYN scanning use Nmap with raw socket privileges. The TCP connect scan that Sherlock uses is sufficient for forensic port scan and IT-admin audit use cases.

Get Started

Download Sherlock Forensics Port Scanner

Free network security scanner built by CISSP, ISSAP and ISSMP certified forensic professionals. Need a full penetration test or security assessment? Contact our team.

Since 2006CISSP, ISSAP, ISSMP certified888.883.4550

Linux requires: libgtk-3, libfontconfig1, libxkbcommon. See install instructions.

Sherlock Forensics Port Scanner is provided for lawful use only. Unauthorized scanning of networks you do not own may violate applicable laws. Terms of Service

Download

Your email is optional. If you provide it, we send 3 product introduction emails over the next 2 weeks. No long-term marketing. No data sharing. Skip the field and download directly.