Port discovery without nmap

nc + bash

top10=(20 21 22 23 25 80 110 139 443 445 3389); for i in "${top10[@]}"; do nc -w 1 IP $i && echo "Port $i is open" || echo "Port $i is closed or filtered"; done

/dev/tcp/ip/port or /dev/udp/ip/port

top10=(20 21 22 23 25 80 110 139 443 445 3389); for i in "${top10[@]}"; do (echo > /dev/tcp/IP/"$i") > /dev/null 2>&1 && echo "Port $i is open" || echo "Port $i is closed"; done

Dummy script

#!/bin/bash
subnet="x.x.x"
top10=(20 21 22 23 25 80 110 139 443 445 3389)
for host in {1..255}; do
    for port in "${top10[@]}"; do
        (echo > /dev/tcp/"${subnet}.${host}/${port}") > /dev/null 2>&1 && echo "Host ${subnet}.${host} has ${port} open" || echo "Host ${subnet}.${host} has ${port} closed"
    done
done

Banner grabbing

/dev/tcp/ip/port or /dev/udp/ip/port

cat < /dev/tcp/IP/PORT

telnet

telnet IP PORT