Can I scan my local network for specific open ports quickly?

Question

I would like to know if there's a way to scan through my local network's IP range for open ports of a specific number.

Essentially I'm looking for nodejs to find clients of a specific type without knowing their IP addresses. In this case, RFID readers which listen on port 14150.

I'd like this scan to be quick, so I don't want a long timeout between each IP address. They should all happen rather quickly, perhaps within a few seconds max for an entire local IP range of up to 255 clients, excluding my own IP.

I wrote code that does what I want but it's painfully slow... I would like to see how I can make this faster by blazing through the connections and getting out if a connection cannot be made to a given IP within 20ms. I want to capture the actual connections in an array that I can then use for another purpose.

var net = require('net'); // Required to create socket connections

var ip = 254; //IP address to start with on a C class network

function checkConnect () {
  ip--;
  var thisIP = '192.168.1.' + ip; //concatenate to a real IP address

  var S = new net.Socket();
  S.connect(80, thisIP);

  if(ip > 0) { checkConnect(); }

  S.on('connect', function () { console.log('port 80 found on ' + thisIP); });
  S.on('error', function () { console.log('no such port on ' + thisIP); });
  S.end();
}

checkConnect();

Answer 1

I've made it for you https://github.com/eviltik/evilscan. (just released v0.0.3 today)

Install:

npm install -g evilscan

Usage (port list + port range) :

root@debian:~# evilscan --target=192.168.0.0/24 --port=21-446,5900 --concurrency=100 --progress
192.168.0.3:5900|open
192.168.0.26:53|open
192.168.0.26:111|open
192.168.0.26:81|open
192.168.0.26:23|open
Scanned 192.168.0.253:446 (100%)

Tips :

For very fast scanning, you can play with "concurrency" parameter, more than 1000, but you have to update ulimit parameter of your linux first :

ulimit -u unlimited

Hope this help.

Answer 2

None of the previous answers really worked how I needed. I found a much lighter weight alternative. With this solution I get my solution quickly. My next upgrade will be to specify a range of hosts based on the current subnet. I imagine I'll want to limit this to the first 254 clients so it's not overkill. Here is the code:

//LLRP DEVICE SCANNER
var net    = require('net'), Socket = net.Socket;

var checkPort = function(port, host, callback) {
    var socket = new Socket(), status = null;

    // Socket connection established, port is open
    socket.on('connect', function() {status = 'open';socket.end();});
    socket.setTimeout(1500);// If no response, assume port is not listening
    socket.on('timeout', function() {status = 'closed';socket.destroy();});
    socket.on('error', function(exception) {status = 'closed';});
    socket.on('close', function(exception) {callback(null, status,host,port);});

    socket.connect(port, host);
}

var LAN = '192.168.1'; //Local area network to scan (this is rough)
var LLRP = 5084; //globally recognized LLRP port for RFID readers

//scan over a range of IP addresses and execute a function each time the LLRP port is shown to be open.
for(var i=1; i <=255; i++){
    checkPort(LLRP, LAN+'.'+i, function(error, status, host, port){
        if(status == "open"){
            console.log("Reader found: ", host, port, status);
        }
    });
}