Bash instead?

Nmap is great, but sometimes you don’t really need it. If you just need to see if a port is roughly open this trick using straight up Bash can be sufficient.

:-> $ echo > /dev/tcp/sshisup.xed.ch/22
:-> $ echo > /dev/tcp/sshisdn.xed.ch/22
-bash: sshisdn.xed.ch: System error
-bash: /dev/tcp/sshisdn.xed.ch/22: Invalid argument
:-< $

See "Network Madness" in my Bash notes for more.

What’s going on with a known host?

Normal useful nmap command:

sudo nmap -A example.xed.ch

This needs root. The -A is OS with Version detection. Using -O instead works, but it isn’t as clever and can’t find the OS sometimes.

Looking for unknown hosts on a network range

This will take a long time but produce results about a /24 network:

sudo nmap -A 192.168.1.*
sudo nmap -A 192.168.1.0/24

This one is from my updater script. Works pretty fast.

/usr/bin/nmap -sP 10.1.1.2-254 192.168.14.2-254 -oG - | /bin/grep "Status: Up" | /bin/sed "s/^.*(\\(.*\\)).*$/\\1/"