Finding Open Ports and Listening Services on Linux: Nmap, Netstat, lsof and ss

This is something I do on a daily basis and try to keep it simple.

nmap

One of my all-time favourites, nmap, is a port scanner and network exploration tool. To install on Debian Wheezy:

# apt-get install nmap

Nmap can perform a simple ping scan:

$ nmap -sP localhost
Nmap scan report for localhost (127.0.0.1)
Host is up.
Other addresses for localhost (not scanned): 127.0.0.1
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds

Scan all TCP ports by using an aggressive (-T4) timing mode:

# nmap -p T:1-65535 -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 65527 closed ports
PORT      STATE SERVICE
12/tcp    open  unknown
80/tcp    open  http
443/tcp   open  https
3000/tcp  open  ppp
3001/tcp  open  nessus
3306/tcp  open  mysql
8834/tcp  open  unknown
10050/tcp open  unknown
10051/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

Perform a half-open TCP/SYN scan (requires root privileges):

# nmap -sS -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
3000/tcp open  ppp
3001/tcp open  nessus
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

Scan TCP and UDP ports (UDP scan requires root privileges):

# nmap -sTU -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0017s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 1994 closed ports
PORT     STATE         SERVICE
80/tcp   open          http
443/tcp  open          https
3000/tcp open          ppp
3001/tcp open          nessus
3306/tcp open          mysql
68/udp   open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds

Scan only for standard SSH, telnet and RDP ports:

$ nmap -p T:22-23,3389 -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE  SERVICE
22/tcp   closed ssh
23/tcp   closed telnet
3389/tcp closed ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Scan for 20 most common ports:

$ nmap --top-ports 20 -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000054s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   open   http
110/tcp  closed pop3
111/tcp  closed rpcbind
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
143/tcp  closed imap
443/tcp  open   https
445/tcp  closed microsoft-ds
993/tcp  closed imaps
995/tcp  closed pop3s
1723/tcp closed pptp
3306/tcp open   mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Probe open ports to determine service and version info:

$ nmap -sV -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT     STATE SERVICE       VERSION

80/tcp   open  http          Apache httpd
443/tcp  open  ssl/http      Apache httpd
3000/tcp open  ssl/ntop-http Ntop web interface 5.0.1
3001/tcp open  ssl/ntop-http Ntop web interface 5.0.1
3306/tcp open  mysql         MySQL 5.5.33-0+wheezy1

Nmap done: 1 IP address (1 host up) scanned in 34.62 seconds

Scan all TCP and UDP ports and determine service and version info:

# nmap -sTU -sV -T4 -p 1-65535 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0012s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 131059 closed ports
PORT      STATE         SERVICE       VERSION
12/tcp    open          ssh           OpenSSH 6.0p1 Debian 4 (protocol 2.0)
80/tcp    open          http          Apache httpd
443/tcp   open          ssl/http      Apache httpd
3000/tcp  open          ssl/ntop-http Ntop web interface 5.0.1
3001/tcp  open          ssl/ntop-http Ntop web interface 5.0.1
3306/tcp  open          mysql         MySQL 5.5.33-0+wheezy1
8834/tcp  open          ssl/unknown
10050/tcp open          tcpwrapped
10051/tcp open          zabbix        Zabbix Monitoring System
68/udp    open|filtered dhcpc
2055/udp  open|filtered iop
19167/udp open|filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Nmap done: 1 IP address (1 host up) scanned in 97.85 seconds

I’ve barely scratched the surface here – nmap has a fairly wide range of other scan techniques available, the above ones are simple ways of finding open ports and identifying services.

netstat

Netstat, a part of net-tools package, despite being considered a deprecated Linux networking command, is still widely used on many systems (RHEL 6.5, Debian 7, Ubuntu 12.04, Ubuntu 14.04). Netstat can print network connections, routing tables etc.

To discover all listening TCP and UDP ports in numeric format while also showing PID and name of the program, do:

# netstat -nltup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address       Foreign Address   State     PID/Program name
tcp        0      0 0.0.0.0:3000        0.0.0.0:*         LISTEN    14124/ntop
tcp        0      0 0.0.0.0:3001        0.0.0.0:*         LISTEN    14124/ntop
tcp        0      0 0.0.0.0:8834        0.0.0.0:*         LISTEN    23616/nessusd
tcp        0      0 0.0.0.0:10050       0.0.0.0:*         LISTEN    2526/zabbix_agentd
tcp        0      0 0.0.0.0:10051       0.0.0.0:*         LISTEN    19818/zabbix_server
tcp        0      0 127.0.0.1:3306      0.0.0.0:*         LISTEN    2656/mysqld
tcp        0      0 0.0.0.0:12          0.0.0.0:*         LISTEN    17491/sshd
tcp        0      0 0.0.0.0:80          0.0.0.0:*         LISTEN    14243/apache2
tcp        0      0 0.0.0.0:443         0.0.0.0:*         LISTEN    14243/apache2
tcp6       0      0 :::8834             :::*              LISTEN    23616/nessusd
udp        0      0 0.0.0.0:2055        0.0.0.0:*                   14124/ntop
udp        0      0 0.0.0.0:68          0.0.0.0:*                   1691/dhclient
udp    49408      0 0.0.0.0:19167       0.0.0.0:*                   1691/dhclient

As we may see above, there were no listening UDP ports found. To see all established connections and not just the listening one, we can add an “a”  parameter to the command line.

I normally tend to alias such commands that are fairly frequently in use to save some typing time:

# alias nets="netstat -nltup"

Or alternatively put it into ~/.bashrc file on systems that may require regular restarts.

Print a routing table:

$ netstat -rn
Kernel IP routing table
Destination   Gateway     Genmask        Flags  MSS Window  irtt   Iface
0.0.0.0       10.132.1.1  0.0.0.0        UG       0 0       0      eth0
10.132.1.0    0.0.0.0     255.255.255.0  U        0 0       0      eth0

Note that netstat command does not require root privileges to display the kernel routing tables.

lsof

The lsof program nominally lists open files. From the lsof man page, an open file may be a regular file, a directory, a character special file, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket) etc.

To get the listing of all Internet files using IPv4 and TCP protocol, we may use the following:

# lsof -i4tcp | grep -i listen

Grep helps to parse the output and print only the listening files. Paging through the raw output would provide us with a much better idea of our system’s overall network use.

ss

The ss utility is a part of iproute2 package and is used to dump socket statistics, similar to netstat. To install on Debian Wheezy:

# apt-get install iproute

To discover all listening TCP and UDP sockets in numeric format, do:

# ss -nltu
Netid  State      Recv-Q  Send-Q      Local Address:Port   Peer Address:Port
udp    UNCONN     0       0           *:2055               *:*
udp    UNCONN     0       0           *:68                 *:*
udp    UNCONN     49408   0           *:19167              *:*
tcp    LISTEN     0       128         *:80                 *:*
tcp    LISTEN     0       10          *:3000               *:*
tcp    LISTEN     0       10          *:3001               *:*
tcp    LISTEN     0       128         *:443                *:*
tcp    LISTEN     0       128         :::8834              :::*
tcp    LISTEN     0       128         *:8834               *:*
tcp    LISTEN     0       128         *:10050              *:*
tcp    LISTEN     0       128         *:10051              *:*
tcp    LISTEN     0       50          127.0.0.1:3306       *:*
tcp    LISTEN     0       128         *:12                 *:*

Leave a Reply

Your email address will not be published. Required fields are marked *