World’s slimmest TCP port scanner – By @

Written on July 30, 2009

Ok, the name is a pun on Titan’s watch 😛 and is something that is an outcome of a really cool bash feature which I’ll be discussing. Bash provides a way to create a TCP connection or send UDP packets to a host on a given port, the cool thing is that you don’t have to rely on other scripting languages or programs for creating sockets/network connections when writing a shell script. Using this feature one can write simple to complex network utilities/scripts (a sigh of relief for scriptters :-) if that is that a word ). NOTE: This is a bash provided feature(if it is compiled with –enable-net-redirections option) and has nothing to do with /dev Devices.

Using these sockets/connections is as simple as accessing a file which is inline with the unix philosophy. All you need to do is to read/write to files of the form:


where, <protocol> = tcp | udp
<host> = hostname | IP
<port> = port number.

For example, lets say you want to send a custom payload to a web server, you can do it with the following command:

$echo -en “HEAD / HTTP/1.0\r\n\r\n”  > /dev/tcp/

You won’t get anything in return for obvious reasons(no read!). Now you’ll say what good can this be. Well, you can assign it a fd and read and write to that fd if your script is a network interactive one and expects some data in response.

Example commands:
# 15 is just random fd that I chose, you can choose any fd number you like.

$ exec 15<> /dev/tcp/
$ echo -en “HEAD / HTTP/1.1\r\nhost:\r\n\r\n” >&15
$ cat <&15
HTTP/1.1 302 Found
Date: Thu, 30 Jul 2009 21:56:37 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1

Finally, time for the slimmest TCP port scanner:

# Usage:>$ <host> <start_port> <end_port>
for p in `seq $2 $3`;do  (echo “foo” > /dev/tcp/$1/$p) &> /dev/null ; RET=$?; if [ $RET -eq 0 ]; then echo “$p/tcp open”; fi; done

I know it looks ugly :-P, no sanity checks etc, had to keep it slim you know… Tell me when u use it in your shell scripts.