If you wish to quickly find all machines on a network that have a certain TCP port open you might want to can for all machines with TCP port 80/443 open to enable you to audit servers with expiring certificates you can use NMAP, the general syntax is this:
nmap -Pn -p<portnumber> -oG <logfilename.gnmap> <target networks>
WARNING : You can configure web services to work on ports other than 80 and 443, therefore remember this only scans the default port that is assigned to a web server, if you need all ports see the "all ports" section.
Scan for HTTP/HTTPS (on default ports)
This means if you wanted to scan your local network for all servers with HTTP or HTTP open you could use this:
You will need to change the network for the actual network you want to scan.
HTTP : nmap -Pn -p80 -oG http-scan-%D.gnmap 10.12.0.0/24
HTTPS: nmap -Pn -p443 -oG https-scan-%D.gnmap 10.12.0.0/24
This will output a file in the current directory called either "http-scan" or "https-scan" followed by the current date as you can see here:
The report file will look like this, so here you can see that a server called iis-test-.bears.local as HTTP open on 443.
Scan for all open ports
If you wish to scan all open ports:
All Ports : nmap -Pn -oG http-scan-%D.gnmap 10.12.0.0/24
This will return all the ports and not only the ones on 80/443 as earlier like this, it will also returned the closed ports as well:
