Can nmap display only hosts with specific ports open?

Can nmap list all hosts on the local network that have both SSH and HTTP open? To do so, I can run something like:

nmap 192.168.1.1-254 -p22,80 --open

However, this lists hosts that have ANY of the list ports open, whereas I would like hosts that have ALL of the ports open. In addition, the output is quite verbose:

# nmap 192.168.1.1-254 -p22,80 --open

Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-31 10:14 EST
Nmap scan report for Wireless_Broadband_Router.home (192.168.1.1)
Host is up (0.0016s latency).
Not shown: 1 closed port
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for new-host-2.home (192.168.1.16)
Host is up (0.013s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 254 IP addresses (7 hosts up) scanned in 3.78 seconds

What I’m looking for is output simply like:

192.168.1.16

as the above host is the only one with ALL the ports open.

I certainly can post-process the output, but I don’t want to rely on the output format of nmap, I’d rather have nmap do it, if there is a way.

Asked By: Brian

||

There is not a way to do that within Nmap, but your comment about not wanting "to rely on the output format of nmap" lets me point out that Nmap has two stable output formats for machine-readable parsing. The older one is Grepable output (-oG), which works well for processing with perl, awk, and grep, but is missing some of the more advanced output (like NSE script output, port reasons, traceroute, etc.). The more complete format is XML output (-oX), but it may be overkill for your purposes.

You can either save these outputs to files with -oG, -oX, or -oA (both formats plus "normal" text output), or you can send either one straight to stdout: nmap 192.168.1.1-254 -p22,80 --open -oG - | awk '/22/open.*80/open/{print $2}'

Answered By: bonsaiviking

Consider also this awk one-liner:

nmap -Pn -oG -p22,80,443,445 - 100.100.100.100 | awk '/open/{ s = ""; for (i = 5; i <= NF-4; i++) s = s substr($i,1,length($i)-4) "n"; print $2 " " $3 "n" s}'

It will print you all the hosts with all specified opened ports like this:

 100.100.100.100 (some-domain.com)
 22/open/tcp//ssh
 80/open/tcp//http
 443/open/tcp//microsoft-ds
 445/open/tcp//https-alt
Answered By: Suncatcher

Try the following command:

nmap --open -p 22,80 192.168.1.1-254 -oG - | grep "/open" | awk '{ print $2 }'

This will scan for your ports in your range and pipe the output in greppable format looking for open ports, then print the IP addresses that fit any of that criteria.

Answered By: Marshall Hallenbeck

My ‘quick and dirty’ solution:

nmap -p 443 192.168.178.0/24 | grep 'report|open'

Output:

Nmap scan report for fritz.box (192.168.178.1)
443/tcp open  https
Nmap scan report for 192.168.178.2
Nmap scan report for 192.168.178.3
...

Advantage:

You can still see all responding clients in the network, so that you can adjust the port (e.g. port 80 instead of port 443) to them.

Answered By: K1LLUM1N471

All of these answers still show the Ignored ports, even if there is an open port. The following is what worked for me:

sudo nmap -sS "10.10.10.0/24" --open -oG ./nmap_scan; sudo chown youruser: ./nmap_scan; cat ./nmap_syn | grep -v 'Nmap|Status:' | sed 's/t/,/g' |  awk '{gsub("Ignored State: .*", "");print}' | column -t -s',' 
  • sudo nmap -sS "192.168.1.0/24" --open -oG ./nmap_scan: perform a syn scan for only open ports and output to a grepable file called nmap_scan
  • sudo chown youruser: ./nmap_scan: change the ownership of the file back to your user since you ran sudo. This is optional, just make sure to run all following commands as root or sudo
  • grep -v '^Nmap|^Status:': Remove any lines that show start with Status: or Nmap, these are garbage lines and not necessary for output.
  • sed 's/t/,/g': Change all tabs to commas, this turns the output essentialy to a csv format which is easier to parse
  • awk '{gsub("Ignored State: .*", "");print}': Remove any "Ignored State: .*" which is a regex for anything after "Ignored State:". between each , section.
  • column -t -s',': Optional: display output in a column format to make it readable
Answered By: Dave
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.