There is always nc. The man page
nc(1) says:
Code:
PORT SCANNING
It may be useful to know which ports are open and running services on a
target machine. The -z flag can be used to tell nc to report open ports,
rather than initiate a connection. For example:
$ nc -z host.example.com 20-30
Connection to host.example.com 22 port [tcp/ssh] succeeded!
Connection to host.example.com 25 port [tcp/smtp] succeeded!
The port range was specified to limit the search to ports 20 - 30.
Alternatively, it might be useful to know which server software is
running, and which versions. This information is often contained within
the greeting banners. In order to retrieve these, it is necessary to
first make a connection, and then break the connection when the banner
has been retrieved. This can be accomplished by specifying a small
timeout with the -w flag, or perhaps by issuing a "QUIT" command to the
server:
$ echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2
Protocol mismatch.
220 host.example.com IMS SMTP Receiver Version 0.84 Ready
There are several tools in the ports tree other than net/nmap and its related facilities, but I have never used any of them.