Efficient Multi-Port Scanning with Netcat: Targeted Port Checks Without Range Scanning


11 views

When administering multiple servers, verifying specific service availability across discontinuous ports (like SSH on 22, HTTP on 80, and custom services on 8080) becomes tedious. The standard nc -z approach requires individual commands:

# Traditional approach - verbose and repetitive
nc -zv host.example.com 22
nc -zv host.example.com 80
nc -zv host.example.com 443
nc -zv host.example.com 8080

While nc -z host start_port-end_port works for ranges, it's impractical when:

  • Ports are non-sequential (22, 80, 443, 8080)
  • You need to avoid scanning large ranges (security policies)
  • Checking dozens of hosts with custom port sets

1. Xargs Parallel Processing

Process multiple ports efficiently without explicit loops:

echo "22 80 443 8080" | xargs -n 1 -P 4 nc -zv host.example.com

Where -P 4 runs 4 parallel checks (adjust based on your needs).

2. Using AWK for Host:Port Combinations

For multiple hosts with different port requirements:

cat hosts_ports.txt | awk '{print $1,$2}' | xargs -n 2 nc -zv

Sample hosts_ports.txt:

web1.example.com 80
db1.example.com 3306
git.example.com 22 9418

3. Timeout-Enhanced Version

Add connection timeouts for cleaner output:

echo "22 80 443" | xargs -n 1 -I % sh -c 'nc -z -w 2 host.example.com % && echo "%: OK" || echo "%: FAILED"'

When Netcat isn't available or suitable:

Nmap Targeted Scanning

nmap -Pn -p 22,80,443,8080 host.example.com

Add --open to show only open ports

Telnet Fallback

for p in 22 80 443; do
  (echo >/dev/tcp/host.example.com/$p) 2>/dev/null && echo "$p OPEN" || echo "$p CLOSED"
done

For audit trails and monitoring systems:

date +"%Y-%m-%d %T"; echo "22 80 443" | xargs -n 1 sh -c 'nc -zv -w 1 host.example.com $0 2>&1 | grep succeeded || echo "$0: Failed"' | tee -a port_check.log

When performing network diagnostics, manually checking individual ports becomes tedious:

nc -zv host.example.com 22
nc -zv host.example.com 80
nc -zv host.example.com 443

While nc -zv host.example.com 20-25 works for contiguous ports, it's inefficient when checking specific ports like 22, 80, 443 across multiple hosts.

For ad-hoc checks:

for port in 22 80 443 8080; do nc -zv host.example.com $port; done

Create a text file (hosts.txt) with hostnames/IPs, then:

while read host; do
  for port in 22 80 443; do
    nc -zv $host $port 2>&1 | grep succeeded
  done
done < hosts.txt

For faster execution:

echo 22 80 443 8080 | xargs -P 4 -n 1 nc -zv host.example.com

The -P 4 runs 4 parallel processes.

For more advanced scanning:

nmap -p 22,80,443 host.example.com

Or with timeout control:

timeout 1 bash -c "echo >/dev/tcp/host.example.com/80" && echo "Open"

Save as portcheck.sh:

#!/bin/bash
hosts=("host1" "host2" "host3")
ports=(22 80 443 8080)

for host in "${hosts[@]}"; do
  echo "Checking $host..."
  for port in "${ports[@]}"; do
    (nc -zv -w 2 $host $port 2>&1 | grep succeeded) && \
    echo "$host:$port - OPEN" || \
    echo "$host:$port - CLOSED"
  done
done