Use netcat for port scanning
Quite often you’d need to check if a port on a target node is opened or blocked by firewall. I’ve always used
telnet to test that but it has a few drawbacks:
Need to use dirty hacks in shell scripts to auto close the connection. Also, telnet outputs some errors to
/dev/stdoutinstead of the standard
/dev/stderrwhich makes it harder to use in scripts.
Non standard implementation across different OSes. On Alpine Linux (mostly used in containers), if you install telnet using the
/busybox-extraspackage, the behaviour is different from what it is on standard Ubuntu/Arch environments. I’ve even faced weird issues on Alpine where telnet will simply wait endlessley for the connection to be established, while netcat would not indicate any issues.
Telnet is actually a protocol and the telnet-client initiates the negotiation with the server before a connection is established.
So, after all these issues, I looked at other tools to eventually replace
telnet with something better. I tried
nmap which is also a port scanner, but is unreliable since a lot of hipster sysadmins drinking the security koolaid block port scanning tools like these. I wanted a dependable tooling and after a bit of Google-fu, I stumbled across
netcat is basically a swiss army knife to perform all kind of ops with TCP/UDP. You can create a file server, chat client/server, TCP client etc. We are simply interested in the port scanning abilities of this for this blog post, so let’s actually see how to use it for the same.
netcat-openbsd as it is a rewritten version of
netcat-traditional with some more bells and whistles.
The basic syntax for port scanning looks like:
nc -z host port
-z tells nc to not send any data, just scan for any process listening on the target port. This is much better (and faster) than
telnet client initiating a connection with the upstream.
To make it more usable however, let’s pepper our command with some helpful flags:
nc -vz -w 3 host port
-v turns on verbose mode which outputs diagnostic messages.
-w adds the timeout for the connection to be established. If you want to set a timeout in
telnet there’s a hack for it.
You can even supply a range of ports to netcat like:
nc -vz -w 3 host 8000-9000
Quick Tip: You can also give an alias for port instead of the number. For example:
$nc -vz -w 3 google.com https Connection to google.com 443 port [tcp/https] succeeded! $nc -vz -w 3 google.com ssh nc: connect to google.com port 22 (tcp) timed out: Operation now in progress nc: connect to google.com port 22 (tcp) failed: Network is unreachable
Hope this post pretty much sums up the usage of netcat for port scanning! Read the man page for more info.