Last Updated: February 25, 2016
· victorbrca
409302 10151131950910230 214813917 n 2

Port scanning with Bash (without sudo, nmap or nc)

Let's say you logged on to a Linux machine and you need to run nmap to find out what ports are open on a specific node, however you do not have sudo access and/or 'nmap' (or nc) is not installed...

Well, here's the solution. Depending on the Bash version that you have, and if it has TCP socket enabled, you can use it's built-in TCP (and UDP) socket to create connections (it's somewhat similar to the client side of 'netcat').

Here's a quick function that can be used for that:

nmap2 () {
[[ $# -ne 1 ]] && echo "Please provide server name" && return 1

for i in {1..9000} ; do
  (echo  > /dev/tcp/$SERVER/$PORT) >& /dev/null &&
   echo "Port $PORT seems to be open"

And here's an example of running the scan against my gateway:

$ GW=$(route -n | grep '^' | awk '{print $2}')

$ nmap $GW
The program 'nmap' is currently not installed. You can install it by typing:
sudo apt-get install nmap

$ nmap2 $GW
Port 1720 seems to be open

If you need to increase/decrease the ports that are scanned, simple change the option '{1..9000}' in the script.

Say Thanks

2 Responses
Add your response


Can you let me know how does this work for udp ? Doesn't seems to work for me.

over 1 year ago ·
409302 10151131950910230 214813917 n 2

You should be able to just change the protocol to udp, like "(echo > /dev/udp/$SERVER/$PORT)"

over 1 year ago ·
Filed Under