Skip to content
shellmap

Scan a port range on a host

Check which TCP/UDP ports are open on a target host — for service discovery, firewall validation, post-deploy "is the new server reachable?" smoke tests, or troubleshooting connectivity ahead of an SSH/HTTP call that's timing out.

How to scan a port range on a host in each shell

Bashunix
nmap -p 1-1000 -T3 192.168.1.10

`-p RANGE` port range (`1-1000`, `80,443,8080` list, or `-p-` for all 65535). `-T0..T5` timing template: T0=paranoid (5min between probes, IDS-evasion), T3=normal (default, balanced), T5=insane (parallel max, may overwhelm fragile devices). For a quick "is anything open?" sweep: `nmap -sS -T4 -p- HOST` — SYN-scan (`-sS`, requires root, doesn't complete the TCP handshake so doesn't show up in some app logs) of all 65535 ports at aggressive timing. Add `-A` for service version + OS detection (slower, much more info).

Zshunix
nmap -p 1-1000 -T3 192.168.1.10
Fishunix
nmap -p 1-1000 -T3 192.168.1.10
PowerShellwindows
1..1000 | ForEach-Object -Parallel { if ((Test-NetConnection -ComputerName "192.168.1.10" -Port $_ -InformationLevel Quiet -WarningAction SilentlyContinue)) { $_ } } -ThrottleLimit 50

`Test-NetConnection` is the pwsh-native TCP-connect test — works, but is SLOW (each call does a full DNS resolution + connection setup + ICMP ping by default; ~1 second per port serial). `-Parallel` (pwsh 7+) with `-ThrottleLimit 50` parallelizes 50-at-a-time, bringing a 1000-port scan from ~17 min to ~20 sec. For full 1-65535 sweep, install `nmap` for Windows (`choco install nmap`) — pwsh's native tooling is fine for ad-hoc but nmap is purpose-built.

cmd.exewindows
powershell -NoProfile -Command "1..100 | ForEach-Object -Parallel { if ((Test-NetConnection -ComputerName '192.168.1.10' -Port $_ -InformationLevel Quiet -WarningAction SilentlyContinue)) { $_ } } -ThrottleLimit 50"

cmd has no port-scan verb. `telnet HOST PORT` tests a SINGLE port (and only if telnet client is installed — disabled by default Windows 10+, `dism /online /Enable-Feature /FeatureName:TelnetClient`). Shell to pwsh for ranges, or download `nmap.exe` / `PortQry.exe` (Microsoft's legacy single-binary scanner).

Equivalents listed for Bash, Zsh, Fish, PowerShell, cmd.exe.

Gotchas & notes

  • **LEGAL — never port-scan a host without explicit authorization**. In most jurisdictions, scanning a host without permission is at minimum a TOS violation (cloud providers, ISPs) and at worst a felony (US Computer Fraud and Abuse Act, UK Computer Misuse Act, EU directives). Acceptable targets: your own hosts, hosts you have written authorization to scan (penetration test scope-of-work), the public scanme.nmap.org (explicitly invites scans for tutorial purposes). Cloud providers (AWS, GCP, Azure) have policies — AWS auto-allows scans of YOUR EC2 instances; GCP requires an Abuse Report form to scan others; Azure requires explicit scoping. Internal corporate networks: typically authorized but verify with InfoSec — uncoordinated scans trigger SOC alerts and incident response.
  • **`nc -z` for quick "is this port open?" tests without nmap** — `nc -zv host 22` (verbose, zero-payload, just tests TCP connect) returns `Connection to host 22 port [tcp/ssh] succeeded!` or `Connection refused`. Port-range form varies by `nc` flavor: GNU netcat `nc -zv host 1-1000`, OpenBSD netcat (default on macOS / FreeBSD) `nc -zv host 1-1000` also works, BusyBox netcat may not support ranges. `-w 2` adds 2-second timeout (avoid hanging on filtered ports). Bash loop fallback: `for p in {1..1000}; do (timeout 1 bash -c "</dev/tcp/host/$p" 2>/dev/null && echo $p open) ; done` — uses bash's built-in `/dev/tcp/HOST/PORT` virtual device, no `nc` needed (Linux/macOS bash only; fish + zsh don't have it).
  • **UDP scanning is fundamentally harder than TCP**. TCP gives a definitive answer per port: SYN/ACK = open, RST = closed, no response = filtered. UDP returns ICMP unreachable for closed ports (rate-limited by most kernels, often dropped by firewalls), and nothing at all for open ports unless the application replies — so most UDP scans report "open|filtered" ambiguously. `nmap -sU -p 53,123,161,500 HOST` (DNS, NTP, SNMP, IKE — common UDP services). Adding `--version-intensity 0 -sV` makes nmap send protocol-specific probes that should elicit a response from open ports. UDP scans are 10-100x slower than TCP scans due to rate limiting — scope tightly.
  • **Banner grabbing — what's running on the open port?** `nc HOST PORT` (no `-z`, actually opens a session) and read the banner: SSH replies `SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6`, HTTP needs `printf "HEAD / HTTP/1.0\r\n\r\n" | nc HOST 80` to elicit a Server header. `nmap -sV HOST` is the automated form — has a fingerprint DB of 9000+ services, identifies version. CRITICAL for inventory: a port being open is not interesting; KNOWING what version is open is what tells you whether you're patched. Pair with CVE search: `nmap --script vuln HOST` runs the vulnerability scripts (Heartbleed, Shellshock detectors, default-credential checks).
  • **Avoiding rate limits + getting blocked**: aggressive scans (`-T5`, parallel-50+) trip IDS/IPS and earn temporary blocks. Mitigations: (a) lower scan rate `--max-rate 100` (packets/sec), (b) randomize order `--randomize-hosts`, (c) source-port spoof `--source-port 53` (looks like DNS reply, evades simplistic firewalls), (d) decoy traffic `-D RND:10` (10 fake source IPs interleaved with the real one). Use these for legitimate auditing where the target is YOUR OWN host and you want to test detection. Against unauthorized targets these techniques shift you from "annoying" to "actively evading detection" — legally MUCH worse if discovered. Cloud-internal scans (VPC peers, K8s pods): typically no rate limit but cloud audit logs DO record the scanner IP — name your scan boxes appropriately so post-hoc forensics shows "this was the scheduled inventory scan" not "lateral movement attempt".

Related commands

Related tasks