What’s going on with a known host?

Normal useful nmap command:

sudo nmap -A example.xed.ch

This needs root. The -A is OS with Version detection. Using -O instead works, but it isn’t as clever and can’t find the OS sometimes.

Looking for unknown hosts on a network range

This will take a long time but produce results about a /24 network:

sudo nmap -A 192.168.1.*
sudo nmap -A 192.168.1.0/24

This one is from my updater script. Works pretty fast.

/usr/bin/nmap -sP 10.1.1.2-254 192.168.14.2-254 -oG - | /bin/grep "Status: Up" | /bin/sed "s/^.*(\\(.*\\)).*$/\\1/"

Simple Scan

I’ve been having good luck with this as a shell alias for discovering which IPs on a network have something going on.

alias scan='/usr/bin/nmap -sP 192.168.1.1-254 -oG - | /bin/grep "Status: Up"'

Bash instead?

Nmap is great, but sometimes you don’t really need it. If you just need to see if a port is roughly open this trick uses straight up Bash.

:-> $ echo > /dev/tcp/sshisup.xed.ch/22
:-> $ echo > /dev/tcp/sshisdn.xed.ch/22
-bash: sshisdn.xed.ch: System error
-bash: /dev/tcp/sshisdn.xed.ch/22: Invalid argument
:-< $

Not only can Bash be sufficient but for simple things it can be much quicker than nmap’s elaborate scanning. See "Network Madness" in my Bash notes for more.

My main usage is to see what hosts on my network accept SSH connections.

for H in /dev/tcp/192.168.1.{1..254}/22; do \
((timeout 2 bash -c "(>${H})" 2>/dev/null && echo "SSH UP: ${H}")&); done

What hosts are returning ping packets?

for H in 137.110.138.{1..254}; do \
((ping -c3 ${H} >&/dev/null && echo "PING UP: ${H}")&); done