What’s going on with a known host?

Normal useful nmap command:

sudo nmap -A example.xed.ch

This needs root. The -A is OS with Version detection. Using -O instead works, but it isn’t as clever and can’t find the OS sometimes.

Looking for unknown hosts on a network range

This will take a long time but produce results about a /24 network:

sudo nmap -A 192.168.1.*
sudo nmap -A

This one is from my updater script. Works pretty fast.

/usr/bin/nmap -sP -oG - | /bin/grep "Status: Up" | /bin/sed "s/^.*(\\(.*\\)).*$/\\1/"

Simple Scan

I’ve been having good luck with this as a shell alias for discovering which IPs on a network have something going on.

alias scan='/usr/bin/nmap -sP -oG - | /bin/grep "Status: Up"'

Bash instead?

Nmap is great, but sometimes you don’t really need it. If you just need to see if a port is roughly open this trick using straight up Not only can Bash be sufficient but for simple things it can be much quicker than nmap’s elaborate scanning.

:-> $ echo > /dev/tcp/sshisup.xed.ch/22
:-> $ echo > /dev/tcp/sshisdn.xed.ch/22
-bash: sshisdn.xed.ch: System error
-bash: /dev/tcp/sshisdn.xed.ch/22: Invalid argument
:-< $

See "Network Madness" in my Bash notes for more.

My main usage is to see what hosts on my network accept SSH connections.

for H in /dev/tcp/192.168.1.{1..254}/22; do \
((timeout 2 bash -c "(>${H})" 2>/dev/null && echo "SSH UP: ${H}")&); done

What hosts are returning ping packets?

for H in 137.110.138.{1..254}; do \
((ping -c3 ${H} >&/dev/null && echo "PING UP: ${H}")&); done