Pre-made commands
Banner grab:
nc {ip address} {port}Obtain the banners for a range of ports:
echo “” | nc -zv -wl [host] [port range]
Vertical Scan (one IP, many port) of TCP ports on one IP using Netcat:
nc -nzvw1 {ip address} 21-23 80 2>&1 | grep -E 'succ|open'Vertical Scan (one IP, many port) of UDP ports on one IP using Netcat:
nc -nuzvw1 {ip address} 1000-2000 2>&1 | grep -E 'succ|open'Horizontal Scan (Many IP, many port) a range of IPs for specific TCP ports using Netcat:
for i in {1..254}; do nc -nvzw1 10.10.10.$i 20-23 80 2>&1 & done | grep -E 'succ|open'Horizontal Scan a range of IPs for specific UDP ports using Netcat:
for i in {1..254}; do nc -nuvzw1 172.16.82.$i 1000-2000 2>&1 & done | grep -E 'succ|open'See script at bottom to automate NC scanning
Flags
| Flag | Description |
|---|---|
| -A | Banner grab everything nmap finds |
| -z | Port scanning mode |
| -v | Be verbose (use -vv to be MORE verbose) |
| -n | Use numeric-only IP addresses; Do NOT use DNS to resolve IP addresses |
| -u | Switches scan from TCP to UDP |
| -w 1 | Set time out value to 1 |
| 21-23 | Range of ports to be scanned |
| 25 80 | Individual ports to be scanned, seperated by a space |
| 1024-65535 | Scanning the registered and dynamic port range |
| 2>&1 | Redirect STDERR to STDOUT. This is so results can be grepped |
Useful Scripts
Netcat TCP scan script
#!/bin/bash
echo "Enter network address (e.g. 192.168.0): "
read net
echo "Enter starting host range (e.g. 1): "
read start
echo "Enter ending host range (e.g. 254): "
read end
# Default value for ports (top 20 ports)
default_ports="21 22 23 25 53 80 110 111 135 139 143 443 445 993 995 1723 3306 3389 5900 8080"
echo "Enter specific ports space-delimited (e.g. 21-23 80), or press Enter for default (top 20 ports): "
read user_ports
# Use default ports if no ports are specified by the user
if [ -z "$user_ports" ]; then
ports=$default_ports
else
ports=$user_ports
fi
echo ""
echo "Scanning ports $ports on hosts $net.$start-$end"
echo ""
for ((i=start; i<=end; i++))
do
# Ping the host to verify if it exists before scanning ports
ping -c 1 -W 1 $net.$i > /dev/null 2>&1
# Check the exit status of ping command
if [ $? -eq 0 ]; then
output=$(nc -nvzw1 $net.$i $ports 2>&1 | grep -E 'succ|open')
# Check if output contains information about open ports
if [ -n "$output" ]; then
echo "==== Host $net.$i open ports ===="
echo "$output" | awk '{print $3, $4}'
echo ""
fi
else
echo "Host $net.$i is down or unreachable."
fi
done
Don't forget to chmod +x scan.sh