How to Use Netcat to Scan Open Ports in Linux

The Netcat (in short NC) is a feature-rich computer networking, debugging and investigation utility that supports an extensive range of commands to manage networks and monitor the flow of network traffic data between systems using Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

Netcat can be a very useful tool for network and system administrators to quickly recognize how their network is performing and what type of network activity is occurring in the system.

In this article, we will discuss how to install and use this versatile netcat utility to perform simple port scans to identify open ports in Linux systems.

Install Netcat in Linux

Netcat should be obtainable on almost all modern Linux distributions using the default package manager as shown.

$ sudo yum install nc         [On CentOS/RHEL/Rocky Linux/AlmaLinux]
$ sudo dnf install nc         [On Fedora 22+ and RHEL 8]
$ sudo apt install Netcat     [On Debian/Ubuntu]
Install Netcat in Linux
Install Netcat in Linux

Linux Port Scanning with Netcat Commands

Once you have the Netcat utility installed on your Linux server, you can start performing a network port scan, which will inspect the status of all ports on the specified domain or IP address so that you can discover whether a firewall or other blocking mechanism is in place.

For example, we can scan all ports up to 1000 by running the following command using the -z option, which will only do a scan instead of attempting to open a connection, and -v option to notify netcat to produce more verbose information.

$ netcat -z -v google.com 1-1000
Or
$ nc -z -v google.com 1-1000

The output will look like this:

netcat: connect to google.com port 1 (tcp) failed: Connection timed out
netcat: connect to google.com port 1 (tcp) failed: Network is unreachable
netcat: connect to google.com port 2 (tcp) failed: Connection timed out
netcat: connect to google.com port 2 (tcp) failed: Network is unreachable
netcat: connect to google.com port 3 (tcp) failed: Connection timed out
netcat: connect to google.com port 3 (tcp) failed: Network is unreachable
netcat: connect to google.com port 4 (tcp) failed: Connection timed out
netcat: connect to google.com port 4 (tcp) failed: Network is unreachable
netcat: connect to google.com port 5 (tcp) failed: Connection timed out
netcat: connect to google.com port 5 (tcp) failed: Network is unreachable
....

You can also perform a port scan for IP address using the -n option to define that you don’t require to resolve the IP address using DNS.

$ netcat -z -n -v 192.168.0.173 1-1000
OR
$ nc -z -n -v 192.168.0.173 1-1000

The output will look like this:

netcat: connect to 192.168.0.173 port 1 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 2 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 3 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 4 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 5 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 6 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 7 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 8 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 9 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 10 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 11 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 12 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 13 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 14 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 15 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 16 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 17 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 18 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 19 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 20 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 21 (tcp) failed: Connection refused
Connection to 192.168.0.173 22 port [tcp/*] succeeded!
netcat: connect to 192.168.0.173 port 23 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 24 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 25 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 26 (tcp) failed: Connection refused
netcat: connect to 192.168.0.173 port 27 (tcp) failed: Connection refused
...

From the above output, you can clearly see that the traditional SSH port is open in the range of 1-1000 on the remote machine.

If you only want to print the open ports on the screen, then you need to filter the output with the grep command as shown.

$ netcat -z -n -v 192.168.0.173 1-1000 2>&1 | grep succeeded
OR
$ nc -z -n -v 192.168.0.173 1-1000 2>&1 | grep succeeded

Output:

Connection to 192.168.0.173 22 port [tcp/*] succeeded!
Connection to 192.168.0.173 80 port [tcp/*] succeeded!

You can also scan individual ports as well.

$ nc -zv 192.168.0.173 80
$ nc -zv 192.168.0.173 22
Or
$ nc -zv 192.168.0.173 http
$ nc -zv 192.168.0.173 ssh

[ You might also like: How to Find and Close Open Ports in Linux ]

For more information and usage, read the netcat man pages.

Got something to say? Join the discussion.