tips tools reconnaissance

SecurityTrails Blog · Mar 26 · by Esteban Borges

Top 5 Nmap Online Alternatives

Reading time: 8 minutes

While working with a terminal on Unix or Linux can feel like the better part of driving a manual car, with the vehicle’s full power in your hands and the sense you get of old-fashioned control, some people prefer the automatic variety. These people want an easier experience, with something that simply “works” while doing much of the work for you.

The same thing happens on the Internet. There are nerds who love the terminal and the power inherent in it, and there are others who simply need web- and GUI-based tools offering fast and easy solutions that suit their needs.

That’s where we took our cue. In this blog we’ve shared a good look at both worlds: technical tutorials that are terminal-based, like the Nmap commands article; and reviews of web-based tools, like our blog post about online vulnerability scanners.

Today we’re continuing with web-based tools, by showing you the top Nmap online alternatives to the classic terminal-based command.

Our list of the best Nmap online alternatives

One of the downsides of using Nmap online alternative scanners is the fact that you won’t be able to run Nmap scripts as easily as you would if you were using classic Nmap from the terminal. Instead, you’re tied to what developers offer as web-browser scanning options.

However, most of the current Nmap online alternative solutions usually perform a scan against the most popular scanned ports, so if you’re looking for a basic Nmap scan without too many hacks, some of these websites may work for you.

Going over this list, we’ll start with the most simple solutions for any end users, then move on to more robust and complex Nmap alternatives that not only give you port scan information, but also correlate this data with other infosec variables.

A warning you’ll see on many of these sites is a disclaimer to ensure that the scans you perform are intended to be used as a defensive strategy—to detect open ports over your own infrastructure, and not to detect exposed third-party ports over external networks. For this exact reason, some of these solutions also limit the number of scans allowed to be performed from a single IP address.

IPV6 Scanner

As its name implies, IPV6Scanner.com is a network scanner that lets any user perform a port scan against any hostname, IPV4- or IPv6-based address.

Its simple interface only requires you to fill the target and hit “Scan!” to perform the default scan against most common server ports. Take a look at the following screenshot:

IPV6 Scanner

Before running the scan you’ll have to enable this option by checking ‘I am authorized to initiate this port scan’. After that, you’ll see the results: the color-coded legend indicates three different port states, letting you easily detect which port is open, filtered or closed.

Another option is to scan a specific port, against the TCP or UDP protocol:

UDP protocol

Nmap.online

The second solution on our list is called ‘Nmap online’, and while it’s probably the most classically ‘Nmap-looking’ alternative solution there is, it’s a web-based app rather than one that runs on the terminal.

It offers a simple interface to scan any domain or IP address, and you can choose the type of scan you’d like to perform, such as Fast scan, Port scan, OS Detection or Traceroute.

Once the scan is finished, you’ll get Nmap scan results revealing the open, filtered and closed ports in the same way as traditional Nmap, as you see below:

NMAP online

Types of scans supported by this tool:

  • ‘Fast scan’ which is probably the most frequently used option, as it lets you scan the top 100 most common ports
  • ‘Port scan’ which will let you perform a TCP scan against ports 21,22,25,80,110,143,443 and 445, and also enable service detection, so you can get data about remote running services
  • ‘OS detection’ which allows you to detect the operating system running on the remote host.
  • ‘OS scan and Traceroute’ which enable you to perform exactly those actions.

If you want to use Nmap but not over the terminal, this is the most similar tool you’ll find on the Internet. No commands, no black and white screen, just a web-friendly Nmap-based scan.

Shodan

Now let’s jump to a higher level of port scanners, which also let you find related information in a single place. The first option is our beloved Shodan.

For those who don’t know it, Shodan is referred to by its authors as “the world’s first search engine for Internet-connected devices.” Well, they’re right.

Shodan is a search engine focused on indexing data from any connected device such as computers, servers, mobile phones, tables, webcams, smart TVs, refrigerators, smart kitchens, medical devices, traffic lights, any type of electronic device that’s ever been connected to the Internet.

Something at which Shodan excels is getting a list of open ports from any IP address.

In our tests, we went against Cloudflare’s 1.1.1.1 IP by using this URL: https://www.shodan.io/host/1.1.1.1

And this was the result:

Shodan

As shown in the screenshot, it was able to fetch running ports on 53, 80, 443 and 5353 ports. And on the right side, it also provided the exact data obtained from their banner grabbing against those ports.

Apart from port information, you’ll also get details about the IP, such as country, organization, ISP, date of last update, associated hostnames, ASN, and the running web technologies found on that IP. And if you’re still curious… Shodan has plenty more to offer. Just start digging and you’ll be surprised at how much intel you can find.

ZoomEye

Developed by the Chinese cybersecurity company Knownsec Inc., ZoomEye is an IoT search engine that aims to be a search engine for cyberspace.

Since its release in 2013, it’s added more and more features, truly becoming a beast when it comes to IoT and everything that is or has ever been connected to the Internet.

After running grabbing techniques over exposed devices, ZoomEye performs fingerprint analysis to share with you some highly intriguing results.

And in the same manner as Shodan, ZoomEye also offers interesting port scan data that’s fetched by using their own query language.

Grabbing data from their passive port scan database is easy. In the following example, we’ll query for port 22, which is frequently used by the OpenSSH daemon: https://www.zoomeye.org/searchResult?q=port%3A%2222%22&t=host

A sizeable list of IP addresses with port 22 exposed will appear in the results, along with the operating system, tag and geolocation, as well as the software version listening on that port, as you’ll see in the following screenshot:

Port 22

You can even target multiple ports on the same query, including ports from other famously exploited services such as the Telnet server, for example.

This search engine also lets you perform other queries such as “os:linux” to order devices by OS—but let’s get back to our game of finding exposed ports.

If you also want to know what other ports are open on previously reported IP addresses, just click on any of them. The full list of open ports will appear right before your eyes. Take a look:

Open ports

There’s a lot more to discover with ZoomEye, but we’ll do that in a future article dedicated to detailing its considerable powers.

SurfaceBrowser™

For the past few years, we’ve been working hard on our own massive port scan utility, one that’s fully included in our flagship product SurfaceBrowser™.

SurfaceBrowser™ is a complete Internet surface analyzer that gives you access to a full data security platform, one that includes current and historical DNS records, full IP blocks, SSL certificates, hosted domains, associated domains, a full list of subdomains, user-agent information per IP, and of course, open ports and running services.

How can you view the open ports of any IP address or domain name using SurfaceBrowser™?

SurfaceBrowser

A summary of the available information about that IP address will appear, including the available open ports, product name and software version:

Open ports and software

Other important data will be shown on the same summary page, such as forward DNS, SSL certificates, connection hostname, ASN, geolocation and organization:

Go. LLC

You’ll also be able to pivot to the ‘Domain’ tabs, where you’ll find domains associated with that IP address; and the ‘Devices’ tab, which is fully dedicated to showing you what devices interacted with that IP.

A new brand feature we’ve recently added is the aptly named ‘Ports History’, which lets you fetch the full historical open ports records for that IP, as you can see here:

Ports history

The port history is a rare feature, unavailable with most cybersecurity suites. As soon as you begin using it, you’ll discover how useful it is for investigating cybersecurity incidents against services that could be related to indicators of compromise.

Conclusion

Unlike other Nmap online alternatives, the port scanning we perform here at SecurityTrails is by no means limited: we perform full scans of all your IP addresses, and give you results for the current and historical open ports instantly.

That’s why you’ll want to discover SurfaceBrowser™, the enterprise-grade surface analysis tool that will not only help you identify open ports immediately, but also show you other critical intelligence data such as DNS servers, current and historical records, subdomains, SSL certificates, WHOIS history, and much more.

Book a SurfaceBrowser™ demo with our sales team today!

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.