Efficient Multi-Port Scanning with Netcat: Targeted Port Checks Without Range Scanning


2 views

When administering multiple servers, verifying specific service availability across discontinuous ports (like SSH on 22, HTTP on 80, and custom services on 8080) becomes tedious. The standard nc -z approach requires individual commands:

# Traditional approach - verbose and repetitive
nc -zv host.example.com 22
nc -zv host.example.com 80
nc -zv host.example.com 443
nc -zv host.example.com 8080

While nc -z host start_port-end_port works for ranges, it's impractical when:

  • Ports are non-sequential (22, 80, 443, 8080)
  • You need to avoid scanning large ranges (security policies)
  • Checking dozens of hosts with custom port sets

1. Xargs Parallel Processing

Process multiple ports efficiently without explicit loops:

echo "22 80 443 8080" | xargs -n 1 -P 4 nc -zv host.example.com

Where -P 4 runs 4 parallel checks (adjust based on your needs).

2. Using AWK for Host:Port Combinations

For multiple hosts with different port requirements:

cat hosts_ports.txt | awk '{print $1,$2}' | xargs -n 2 nc -zv

Sample hosts_ports.txt:

web1.example.com 80
db1.example.com 3306
git.example.com 22 9418

3. Timeout-Enhanced Version

Add connection timeouts for cleaner output:

echo "22 80 443" | xargs -n 1 -I % sh -c 'nc -z -w 2 host.example.com % && echo "%: OK" || echo "%: FAILED"'

When Netcat isn't available or suitable:

Nmap Targeted Scanning

nmap -Pn -p 22,80,443,8080 host.example.com

Add --open to show only open ports

Telnet Fallback

for p in 22 80 443; do
  (echo >/dev/tcp/host.example.com/$p) 2>/dev/null && echo "$p OPEN" || echo "$p CLOSED"
done

For audit trails and monitoring systems:

date +"%Y-%m-%d %T"; echo "22 80 443" | xargs -n 1 sh -c 'nc -zv -w 1 host.example.com $0 2>&1 | grep succeeded || echo "$0: Failed"' | tee -a port_check.log

When performing network diagnostics, manually checking individual ports becomes tedious:

nc -zv host.example.com 22
nc -zv host.example.com 80
nc -zv host.example.com 443

While nc -zv host.example.com 20-25 works for contiguous ports, it's inefficient when checking specific ports like 22, 80, 443 across multiple hosts.

For ad-hoc checks:

for port in 22 80 443 8080; do nc -zv host.example.com $port; done

Create a text file (hosts.txt) with hostnames/IPs, then:

while read host; do
  for port in 22 80 443; do
    nc -zv $host $port 2>&1 | grep succeeded
  done
done < hosts.txt

For faster execution:

echo 22 80 443 8080 | xargs -P 4 -n 1 nc -zv host.example.com

The -P 4 runs 4 parallel processes.

For more advanced scanning:

nmap -p 22,80,443 host.example.com

Or with timeout control:

timeout 1 bash -c "echo >/dev/tcp/host.example.com/80" && echo "Open"

Save as portcheck.sh:

#!/bin/bash
hosts=("host1" "host2" "host3")
ports=(22 80 443 8080)

for host in "${hosts[@]}"; do
  echo "Checking $host..."
  for port in "${ports[@]}"; do
    (nc -zv -w 2 $host $port 2>&1 | grep succeeded) && \
    echo "$host:$port - OPEN" || \
    echo "$host:$port - CLOSED"
  done
done