Can nmap list all hosts on the local network that have both SSH and HTTP open? To do so, I can run something like:
nmap 192.168.1.1-254 -p22,80 --open
However, this lists hosts that have ANY of the list ports open, whereas I would like hosts that have ALL of the ports open. In addition, the output is quite verbose:
# nmap 192.168.1.1-254 -p22,80 --open
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-31 10:14 EST
Nmap scan report for Wireless_Broadband_Router.home (192.168.1.1)
Host is up (0.0016s latency).
Not shown: 1 closed port
PORT STATE SERVICE
80/tcp open http
Nmap scan report for new-host-2.home (192.168.1.16)
Host is up (0.013s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 254 IP addresses (7 hosts up) scanned in 3.78 seconds
What I'm looking for is output simply like:
192.168.1.16
as the above host is the only one with ALL the ports open.
I certainly can post-process the output, but I don't want to rely on the output format of nmap, I'd rather have nmap do it, if there is a way.
Best Answer
There is not a way to do that within Nmap, but your comment about not wanting "to rely on the output format of nmap" lets me point out that Nmap has two stable output formats for machine-readable parsing. The older one is Grepable output (
-oG), which works well for processing with perl, awk, and grep, but is missing some of the more advanced output (like NSE script output, port reasons, traceroute, etc.). The more complete format is XML output (-oX), but it may be overkill for your purposes.You can either save these outputs to files with
-oG,-oX, or-oA(both formats plus "normal" text output), or you can send either one straight to stdout:nmap 192.168.1.1-254-p22,80 --open -oG - | awk '/22\/open.*80\/open/{print $2}'