When we covered port scanning a short and ago we discovered how to tell which ports had processes listening upon them, V IA port scanning. What we didn ' t is learn how to tell which processes were associated with each open port.
Often you ' ll know which applications is going to be using a particular port, because it's the standard one, or because yo U know set it up.
For example when do you see something listening upon port all tend to expect it to is a mailserver, and similarly if you f IND Something listening on port I'm not being suprised to discover it ' s a webserver.
Sometimes though these assumptions can be mistaken, and other times you'll discover an open port which you simply don ' t re Cognise. If you're examing a machine i ' re not sure you trust fully it's worth checking exactly which processes are really running .
As we noted in the introduction to port scanning with NMAP can lookup which service uses any of the ' standard ' Por TS by referring to the file /etc/services.
For example we can open this file in our favourite editor, or pager, and see that port 43/tcp are associated with "Whois", and that port of associated with DNS.
These don ' t help you much if you had a service which has had it ' s default port changed-something Some people suggest yo U do as a means of increasing security. (Personally I believe such misdirection is misguided at best, and counter-productive at worst).
What's the really need to do be to lookup the process which are currently bound to the given network port. Thankfully this was a simple job with use of the lsof package.
If you don't have the lsof already you can download and install it by becoming root and running:
[Email protected]:~# apt-get Install lsof
This would download and install the package for you, along with any dependencies which might is required:
Reading Package Lists ... Donebuilding Dependency Tree ... Donethe following NEW packages'll be installed: lsof0 upgraded, 1 newly installed, 0 to remove and + not UPGRADED.N Eed to get 339kB of archives. After unpacking 549kB of additional disk space would be used. Get:1 http://http.us.debian.org unstable/main lsof 4.75.dfsg.1-1 [339kb]fetched 339kB in 3s (90.8kb/s) Selecting Previously deselected package lsof. (Reading database ... 69882 files and directories currently installed.) Unpacking lsof (from .../lsof_4.75.dfsg.1-1_i386.deb) ... Setting up lsof (4.75.dfsg.1-1) ...
Once you with the package installed you can now discover precisely which processes is bound upon particular ports.
If you had the Apache webserver running on port, then would provide a suitable test candidate. If not, you can choose another port know are in use.
To discover the process name, the ID (PID), and the details of need to run:
Lsof-i:Port
Which process is listening upon port we can run:
[Email protected]:~# lsof-i: 80
This gives us the following output:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEapache2 10437 root 3u IPv6 22890556 TCP *:www (LISTEN) apache2 10438 www-data 3u IPv6 22890556 tcp *:www (LISTEN) apache2 10439 www-data< c12/>3u IPv6 22890556 tcp *:www (LISTEN) apache2 10440 www-data 3u IPv6 22890556 TCP *:www ( LISTEN) apache2 10441 www-data 3u IPv6 22890556 TCP *:www (LISTEN) apache2 10442 www-data 3u IPV6 22890556 TCP *:www (LISTEN) apache2 25966 www-data 3u IPv6 22890556 TCP *:www (LISTEN) apache2 25968 www-data 3u IPv6 22890556 TCP *:www (LISTEN)
Here's can see the command running (apache2), the username it's running as Www-data, and some oth ER details.
Similarly we can see which process are bound to port 22:
[Email protected]:~# lsof-i: 22COMMAND PID USER FD TYPE DEVICE SIZE NODE namesshd 8936 root 3u IPv6 12161280 TCP *:ssh (LISTEN)
Ports open for listening upon, the current host, can use another command netstat (contained in t He net-tools package):
[email protected]:~# netstat-a |grep LISTEN |grep-v unixtcp 0 0 *:2049 *:* LISTEN TCP 0 0 *:743 *:* LISTEN TCP 0 0 Localhost.localdo:mysql *:* LISTEN TCP 0 0 *:5900 *:* LISTEN TCP 0 0 LOCALHOST.LOCALD:SUNRPC *:* LISTEN TCP 0 0 *:888 8 *:* LISTEN TCP 0 0 LOCALHOST.LOCALDOM:SMTP *:* LISTEN TCP6 0 0 *:www *:* LISTEN tcp6 0 0 *:d ISTCC *:* LISTEN TCP6 0 0 *:ssh *:* LISTEN
Here's can see that there is processes listening upon ports 2049, 743, 5900, and several oth ERs.
(The second grep we used above is to ignore Unix domain sockets).
If you ' re curious to see which programs and services is used in those sockets you can look them up as we ' ve already shown :
[Email protected]:~# lsof-i: 8888COMMAND PID USER FD TYPE DEVICE SIZE NODE namegnump3d 25834 Gnump3d 3u IPv4 61035200 TCP *:8888 (LISTEN)
This tells us, the process bound to port 8888 is the Gnump3d MP3 streamer.
Port 2049 and 743 is both associated with NFS. The rest can is tracked down in a similar manner. (You'll notice that some ports actually has their service names printed next to them, such as the SMTP entry F or port 25).
lsof is a very powerful tool which can being used for lots of jobs. If you ' re unfamiliar with it I recommend reading the manpage via:
Mans lsof
If you don't discover that the-I flag can take multiple different types of arguments CK more than one port at a time, and use IPv6 addresses too.
It ' s often used to see which files is open upon mounted devices, so you can kill the processes and unmount them cleanly.
How to find out which process is listening upon a port