Works on any machine with nmap installed. Previous version does not work on machines without "seq". Also works on subnets of any size. Show Sample Output
Change the -p argument for the port number. See "man nmap" for different ways to specify address ranges. Show Sample Output
Where < target > may be a single IP, a hostname or a subnet
-sS TCP SYN scanning (also known as half-open, or stealth scanning)
-P0 option allows you to switch off ICMP pings.
-sV option enables version detection
-O flag attempt to identify the remote operating system
Other option:
-A option enables both OS fingerprinting and version detection
-v use -v twice for more verbosity.
nmap -sS -P0 -A -v < target >
nmap accepts a wide variety of addressing notation, multiple targets/ranges, etc.
Usefull for when you don't have nmap and need to find a missing host. Pings all addresses from 10.1.1.1 to 10.1.1.254, modify for your subnet. Timeout set to 1 sec for speed, if running over a slow connection you should raise that to avoid missing replies. This will clean up the junk, leaving just the IP address: for i in {1..254}; do ping -c 1 -W 1 10.1.1.$i | grep 'from' | cut -d' ' -f 4 | tr -d ':'; done Show Sample Output
Simple one-liner for scanning a range of hosts, you can also scan a range of ports with Netcat by ex.: nc -v -n -z -w 1 192.168.0.1 21-443 Useful when Nmap is not available:) Range declaration like X..X "for i in {21..29}" is only works with bash 3.0+ Show Sample Output
scan whole specific network for active online ips Show Sample Output
I've used this scan to sucessfully find many rogue APs on a very, very large network. Show Sample Output
Scan for open ports on the target device/computer (192.168.0.10) while setting up a decoy address (192.168.0.2). This will show the decoy ip address instead of your ip in targets security logs. Decoy address needs to be alive. Check the targets security log at /var/log/secure to make sure it worked.
This was posted on reddit. replace 192.168.0.1-256 with the IP's you want to check.
nmap for windows and other platforms is available on developer's site: http://nmap.org/download.html nmap is robust tool with many options and has various output modes - is the best (imho) tool out there.. from nmap 5.21 man page: -oN/-oX/-oS/-oG : Output scan in normal, XML, s| Show Sample Output
Using NMAP to check to see if port 22(SSH) is open on servers and network devices. Show Sample Output
Very handy way to perform a host scan if you don't have nmap,ncat,nc ...or other tools installed locally. When executing a command on a /dev/tcp/$host/$port pseudo-device file, Bash opens a TCP connection to the associated socket and UDP connection when using /dev/udp/$host/$port.A simlpe way to get servers banner is to run this command "cat < /dev/tcp/localhost/25" , here you will get mail server's banner. NOTE: Bash, as packaged for Debian, does not support using the /dev/tcp and /dev/udp pseudo-device it's not enabled by default Because bash in Debian is compiled with ?disable-net-redirections. Show Sample Output
Depending on the network setup, you may not get the hostname. Show Sample Output
This command uses nmap to perform reverse DNS lookups on a subnet. It produces a list of IP addresses with the corresponding PTR record for a given subnet. You can enter the subnet in CDIR notation (i.e. /24 for a Class C)). You could add "--dns-servers x.x.x.x" after the "-sL" if you need the lookups to be performed on a specific DNS server. On some installations nmap needs sudo I believe. Also I hope awk is standard on most distros. Show Sample Output
for udp nmap -sU -p 80 hostname
Scan the local network for servers who have the ssh port open.
What do you do when nmap is not available and you want to see the hosts responding to an icmp echo request ? This one-liner will print all hosts responding with their ipv4 address.
Ping sweep without NMAP
commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.
Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.
» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10
Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):
Subscribe to the feed for: