Part of series: cheatsheet
How to scan for services without nmap
Port discovery without nmap (Linux)
You will encounter compromised Linux hosts where nmap is not installed or transfering a static nmap binary is not feasible.
Bash
There is handy Bash one-liner that will scan for all 65535 ports and print if a port is open.
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$1) >/dev/null 2>&1 && echo $i is open; done
There is also the option to use netcat to scan for TCP and UDP ports.
netcat
TCP scan:
nc -nvv -w 1 -z 192.168.50.152 3388-3390
- -w: timeout
- -z: zero-I/O mode (used for scanning, sends no data)
UDP scan:
nc -nv -u -z -w 1 192.168.50.149 120-123
Port discovery without nmap (Windows)
On Windows we can use Powershell’s Test-NetConnection to test for a specific open port (e.g. 445):
Test-NetConnection -Port 445 192.168.50.151
To test for the first 1024 ports, we can use this one liner:
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
Note: It takes some time to scan all 1024 ports.