Perform a portscan using netcat

PortscanTo perform a port scan, most of the time we think about a separate program. Sometimes it is not necessary to look that far. On most Linux systems netcat is already installed or can be installed easily from a repository.

There are times when a quick port-scan is needed. But instead of searching for a dedicated port scanning utility with tons of features, it is sometimes enough to use tools as simple as netcat. na(1) (netcat) is a powerful utility for testing network services. With the right parameters, netcat can also scan for open ports.

$ nc -z 123.123.123.123 75-85
Connection to 123.123.123.123 port 80 [tcp/http] succeeded!

The above command shows netcat as port scanner. With the -z option, netcat is told to “just scan for listening daemons, without sending any data to them”, as the man page describes it nicely. This will in fact scan the target host for open ports. The range of ports to scan is the last parameter in the command line.

$ nc -zv 123.123.123.123 75-85
nc: connectx to 123.123.123.123 port 75 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 76 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 77 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 78 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 79 (tcp) failed: Connection refused
found 0 associations
found 1 connections:
     1: flags=82<CONNECTED,PREFERRED>
        outif en1
        src 192.168.0.59 port 55316
        dst 123.123.123.123 port 80
        rank info not available
        TCP aux info available

Connection to 123.123.123.123 port 80 [tcp/http] succeeded!
nc: connectx to 123.123.123.123 port 81 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 82 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 83 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 84 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 85 (tcp) failed: Connection refused

With the -v parameter, netcat shows not only the open ports and some details of them, but also the ports that were checked and found to not be open.

The netcat man page also describes the possibility to scan ports actively to find the type of service / version listening. Netcat is used in the following example to connect to a list of ports and send the “QUIT” string to it. Services listening, so goes the idea, react to this string with responses that could expose details about the service.

$ echo "QUIT" | nc -v 123.123.123.123 20-28
nc: connectx to 123.123.123.123 port 20 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 21 (tcp) failed: Connection refused
found 0 associations
found 1 connections:
     1: flags=82<CONNECTED,PREFERRED>
        outif en1
        src 192.168.0.59 port 55690
        dst 123.123.123.123 port 222
        rank info not available
        TCP aux info available

Connection to 123.123.123.123 port 22 [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_5.3
Protocol mismatch.
nc: connectx to 123.123.123.123 port 23 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 24 (tcp) failed: Connection refused
found 0 associations
found 1 connections:
     1: flags=82<CONNECTED,PREFERRED>
        outif en1
        src 192.168.0.59 port 55722
        dst 123.123.123.123 port 25
        rank info not available
        TCP aux info available

Connection to 123.123.123.123 port 25 [tcp/smtp] succeeded!
220 host.example.com ESMTP Postfix
221 2.0.0 Bye
nc: connectx to 123.123.123.123 port 26 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 27 (tcp) failed: Connection refused
nc: connectx to 123.123.123.123 port 28 (tcp) failed: Connection refused

The example output shows this working on the SMTP port running Postfix and the SSH port using OpenSSH version 5.3. Sadly, this little trick has its limitations and does not necessarily reveal useful information on every kind of service.

Even with not being able to provide a 100% success rate this technique can be useful for a quick check.


Read more of my posts on my blog at http://blog.tinned-software.net/.

This entry was posted in Linux Administration, Security and tagged , , . Bookmark the permalink.