Linux and Unix Port Scanning With netcat [nc] Command

How do I find out which ports are opened on my own server? How do I run port scanning using the nc command instead of the nmap command on a Linux or Unix-like systems?

The nmap (â€œNetwork Mapperâ€) is an open source tool for network exploration and security auditing. If nmap is not installed and you do not wish to use all of nmap options you can use netcat/nc command for scanning ports. This may useful to know which ports are open and running services on a target machine. You can use nmap command for port scanning too.

How do I use nc to scan Linux, UNIX and Windows server port scanning?

If nmap is not installed try nc / netcat command as follow. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. Run nc command with -z flag. You need to specify host name / ip along with the port range to limit and speedup operation:

## syntax ##
nc -z -v {host-name-here} {port-range-here}
nc -z -v host-name-here ssh
nc -z -v host-name-here 22
nc -w 1 -z -v server-name-here port-Number-her
 
## scan 1 to 1023 ports ##
nc -zv vip-1.vsnl.nixcraft.in 1-1023

Sample outputs:

Connection to localhost 25 port [tcp/smtp] succeeded!
Connection to vip-1.vsnl.nixcraft.in 25 port [tcp/smtp] succeeded!
Connection to vip-1.vsnl.nixcraft.in 80 port [tcp/http] succeeded!
Connection to vip-1.vsnl.nixcraft.in 143 port [tcp/imap] succeeded!
Connection to vip-1.vsnl.nixcraft.in 199 port [tcp/smux] succeeded!
Connection to vip-1.vsnl.nixcraft.in 783 port [tcp/*] succeeded!
Connection to vip-1.vsnl.nixcraft.in 904 port [tcp/vmware-authd] succeeded!
Connection to vip-1.vsnl.nixcraft.in 993 port [tcp/imaps] succeeded!

You can scan individual port too:

nc -zv v.txvip1 443
nc -zv v.txvip1 80
nc -zv v.txvip1 22
nc -zv v.txvip1 21
nc -zv v.txvip1 smtp
nc -zvn v.txvip1 ftp
 
## really fast scanner with 1 timeout value ##
netcat -v -z -n -w 1 v.txvip1 1-1023

Sample outputs:

Fig.01: Linux/Unix: Use Netcat to Establish and Test TCP and UDP Connections on a Server

Where,

-z : Port scanning mode i.e. zero I/O mode.
-v : Be verbose [use twice -vv to be more verbose].
-n : Use numeric-only IP addresses i.e. do not use DNS to resolve ip addresses.
-w 1 : Set time out value to 1.

More examples:

$ netcat -z -vv www.cyberciti.biz http
www.cyberciti.biz [75.126.153.206] 80 (http) open
 sent 0, rcvd 0
$ netcat -z -vv google.com https
DNS fwd/rev mismatch: google.com != maa03s16-in-f2.1e100.net
DNS fwd/rev mismatch: google.com != maa03s16-in-f6.1e100.net
DNS fwd/rev mismatch: google.com != maa03s16-in-f5.1e100.net
DNS fwd/rev mismatch: google.com != maa03s16-in-f3.1e100.net
DNS fwd/rev mismatch: google.com != maa03s16-in-f8.1e100.net
DNS fwd/rev mismatch: google.com != maa03s16-in-f0.1e100.net
DNS fwd/rev mismatch: google.com != maa03s16-in-f7.1e100.net
DNS fwd/rev mismatch: google.com != maa03s16-in-f4.1e100.net
google.com [74.125.236.162] 443 (https) open
 sent 0, rcvd 0
$ netcat -v -z -n -w 1 192.168.1.254 1-1023
(UNKNOWN) [192.168.1.254] 989 (ftps-data) open
(UNKNOWN) [192.168.1.254] 443 (https) open
(UNKNOWN) [192.168.1.254] 53 (domain) open

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

9 comment

I had to add verbosity (-v) to get the output as above. By default my version displayed nothing. (Talking of that, I couldn’t figure out how to get it’s version…)

Hello,

I run this command on my ubuntu server but I am not getting that kind of output as you provided here. When I am using -z option that time it is not giving any kind of output. If use -t or option then it is giving output for port range 1-100 .. output is :SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 only.

I.e it is scanning for port 22 only.

Could you please tell me why options are not running on Ubuntu ?

I had to add -v for it to work for me

nc -z -v 127.0.0.1 22
Connection to 127.0.0.1 22 port [tcp/ssh] succeeded!

…or:
nc -zv server port
for lazy ones .)

Do more faster port-scan using gnu-parallel.

time seq 65535 | parallel --pipe --cat -j200% -n1000 'nc -vz localhost $(head -n1 {})-$(tail -n1 {})'
real    0m52.813s
user    3m16.853s
sys     0m7.860s

AND

time nc -vz localhost 1-65535
real    1m49.139s
user    1m44.407s
sys     0m4.733s

most of my classmates use netcat to cheat in the exam : P

Hi, this is a great guide.
However, when using netcat to conduct a port scan, the results can be lengthy. Is there any way to have netcat -zv [host] [port ranges] display only OPEN PORTS?
Thanks.

Zakaria says:
December 28, 2016 at 1:04 am
did you figured out how to show only opened ports ?
1. ad says:
  January 12, 2017 at 8:18 am
  Use grep.
  bash:
  netcat -zv [host] [port ranges] 2>&1 | grep succeeded
  tcsh:
  netcat -zv [host] [port ranges] |& grep succeeded

nixCraft

nixCraft

Linux and Unix Port Scanning With netcat [nc] Command

How do I use nc to scan Linux, UNIX and Windows server port scanning?

See also

Posted by: Vivek Gite

Share this on (or read 9 comments/add one below):

9 comment