Hack your own NMAP with a BASH one-liner

Ok, so today is short and sweet, but you will love me for it when you are stuck in a situation where you have RCE on a Unix target and can get output but can’t find nmap or other network tools and you also can’t install software or download firewalls for reasons like firewalls and ACLs etc.

In those situations, you can turn to good ol’ /dev/tcp to save you with this bash one-liner…

for i in {1..65535};do (echo </dev/tcp/<IP TO SCAN>/$i) &>/dev/null && echo -e "\n[+] Open port at:\t$i" || (echo -n "."&&exit 1);done

Demo on Localhost (port 18)

for i in {1..65535};do (echo </dev/tcp/$i) &>/dev/null && echo -e "\n[+] Open port at:\t$i" || (echo -n "."&&exit 1);done
nmap, move over!
Listener catches our ghetto nmap