Trying to keep it simple.
nmap
One of our all-time favourites, nmap, is a port scanner and network exploration tool. To install on Debian Wheezy, do:
# apt-get install nmap
Nmap can perform a simple ping scan:
$ nmap -sP localhost
Nmap scan report for localhost (127.0.0.1)
Host is up.
Other addresses for localhost (not scanned): 127.0.0.1
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds
Scan all TCP ports by using an aggressive (-T4) timing mode:
# nmap -p T:1-65535 -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 65527 closed ports
PORT STATE SERVICE
12/tcp open unknown
80/tcp open http
443/tcp open https
3000/tcp open ppp
3001/tcp open nessus
3306/tcp open mysql
8834/tcp open unknown
10050/tcp open unknown
10051/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds
Perform a half-open TCP/SYN scan (requires root privileges):
# nmap -sS -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
3000/tcp open ppp
3001/tcp open nessus
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
Scan TCP and UDP ports (UDP scan requires root privileges):
# nmap -sTU -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0017s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 1994 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
3000/tcp open ppp
3001/tcp open nessus
3306/tcp open mysql
68/udp open|filtered dhcpc
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds
Scan only for standard SSH, telnet and RDP ports:
$ nmap -p T:22-23,3389 -T4 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
22/tcp closed ssh
23/tcp closed telnet
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
Scan for 20 most common ports:
$ nmap --top-ports 20 -T4 localhost Nmap scan report for localhost (127.0.0.1) Host is up (0.000054s latency). Other addresses for localhost (not scanned): 127.0.0.1 PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 25/tcp closed smtp 53/tcp closed domain 80/tcp open http 110/tcp closed pop3 111/tcp closed rpcbind 135/tcp closed msrpc 139/tcp closed netbios-ssn 143/tcp closed imap 443/tcp open https 445/tcp closed microsoft-ds 993/tcp closed imaps 995/tcp closed pop3s 1723/tcp closed pptp 3306/tcp open mysql 3389/tcp closed ms-wbt-server 5900/tcp closed vnc 8080/tcp closed http-proxy Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Probe open ports to determine service and version info:
$ nmap -sV -T4 localhost Nmap scan report for localhost (127.0.0.1) Host is up (0.000047s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 995 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 443/tcp open ssl/http Apache httpd 3000/tcp open ssl/ntop-http Ntop web interface 5.0.1 3001/tcp open ssl/ntop-http Ntop web interface 5.0.1 3306/tcp open mysql MySQL 5.5.33-0+wheezy1 Nmap done: 1 IP address (1 host up) scanned in 34.62 seconds
Scan all TCP and UDP ports and determine service and version info:
# nmap -sTU -sV -T4 -p 1-65535 localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0012s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 131059 closed ports
PORT STATE SERVICE VERSION
12/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
3000/tcp open ssl/ntop-http Ntop web interface 5.0.1
3001/tcp open ssl/ntop-http Ntop web interface 5.0.1
3306/tcp open mysql MySQL 5.5.33-0+wheezy1
8834/tcp open ssl/unknown
10050/tcp open tcpwrapped
10051/tcp open zabbix Zabbix Monitoring System
68/udp open|filtered dhcpc
2055/udp open|filtered iop
19167/udp open|filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Nmap done: 1 IP address (1 host up) scanned in 97.85 seconds
We’ve barely scratched the surface here – nmap has a fairly wide range of other scan techniques available, the above ones are simple ways of finding open ports and identifying services.
netstat
Netstat, a part of net-tools package, despite being considered a deprecated Linux networking command, is still widely used on many systems (RHEL 6.5, Debian 7, Ubuntu 12.04, Ubuntu 14.04). Netstat can print network connections, routing tables.
To discover all listening TCP and UDP ports in numeric format while also showing PID and name of the program, do:
# netstat -nltup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 14124/ntop tcp 0 0 0.0.0.0:3001 0.0.0.0:* LISTEN 14124/ntop tcp 0 0 0.0.0.0:8834 0.0.0.0:* LISTEN 23616/nessusd tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 2526/zabbix_agentd tcp 0 0 0.0.0.0:10051 0.0.0.0:* LISTEN 19818/zabbix_server tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2656/mysqld tcp 0 0 0.0.0.0:12 0.0.0.0:* LISTEN 17491/sshd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14243/apache2 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14243/apache2 tcp6 0 0 :::8834 :::* LISTEN 23616/nessusd udp 0 0 0.0.0.0:2055 0.0.0.0:* 14124/ntop udp 0 0 0.0.0.0:68 0.0.0.0:* 1691/dhclient udp 49408 0 0.0.0.0:19167 0.0.0.0:* 1691/dhclient
As we may see above, there were no listening UDP ports found. To see all established connections and not just the listening one, we can add an “a” parameter to the command line.
I tend to alias commands that are frequently used to save myself some typing:
# alias nets="netstat -nltup"
Alternatively, put it into the file ~/.bashrc to make the change persistent.
Print a routing table:
$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.132.1.1 0.0.0.0 UG 0 0 0 eth0 10.132.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Note that the netstat command does not require root privileges to display kernel routing tables.
lsof
The lsof program nominally lists open files. From the lsof man page, an open file may be a regular file, a directory, a character special file, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket).
To get the listing of all Internet files using IPv4 and TCP protocol, we may use the following:
# lsof -i4tcp | grep -i listen
Grep helps to parse the output and prints the listening files only. Paging through the raw output would provide us with a much better idea of our system’s overall network use.
ss
The ss utility is a part of iproute2 package and is used to dump socket statistics, similar to netstat. To install on Debian Wheezy, do:
# apt-get install iproute
To discover all listening TCP and UDP sockets in numeric format, do:
# ss -nltu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:2055 *:* udp UNCONN 0 0 *:68 *:* udp UNCONN 49408 0 *:19167 *:* tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 10 *:3000 *:* tcp LISTEN 0 10 *:3001 *:* tcp LISTEN 0 128 *:443 *:* tcp LISTEN 0 128 :::8834 :::* tcp LISTEN 0 128 *:8834 *:* tcp LISTEN 0 128 *:10050 *:* tcp LISTEN 0 128 *:10051 *:* tcp LISTEN 0 50 127.0.0.1:3306 *:* tcp LISTEN 0 128 *:12 *:*