Scanning an entire ip range / subnet for port 80 open?

Question

I need a fast and efficient way to scan an ip range for port 80 open.

So for example if I wanted to scan OVH IP range "46.105.0.0/16" I need it to scan every ip in that range and output a list of every ip with port 80 open.

46.105.0.51
46.105.0.72
46.105.0.91
46.105.0.7
46.105.0.15

I need to scan multiple subnets and I need it to output to a file.

Edit: I'm also running CentOS on my dedicated box w/ a 1Gbit uplink.

Answer 1

nmap to the rescue!:

nmap -Pn -p80 --open 46.105.0.0/16

...will get you a list of hosts responding on tcp/80 and corresponding nmap output;

• -Pn: skips the ping test, as you only care about an open port
• --open: returns only the IPs for which your port is open

With a little awking (and grep, cause I'm lazy and not so great at awk - could an awk master fix this for me?), you can get just the list of IPs:

nmap -Pn -p80 --open 46.105.0.0/16 | grep 46.105 | awk '{print  $5}NF == 6{print $6}'

nmap also has options for outputting to files in specific formats, or you can just > to a file:

nmap -Pn -p80 --open 46.105.0.0/16 | grep 46.105 | awk '{print  $5}NF == 6{print $6}' > output.txt