Unix Security: Diagnostics and Forensics

6. Determine and understand every open port

If at all possible, use statically-linked tools and utilities mounted from a CD-R for this investigation.

You can do this locally with netstat and with lsof; you should also use a port-scanner, such as nmap, to do this remotely. All three methods should agree.

For all open ports that you don't recognise, and for differences between the results of the three methods, use fuser and/or lsof, to determine which processes are responsible.

On Linux

    root>netstat -l

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 *:48132                 *:*                     LISTEN     
    tcp        0      0 *:8999                  *:*                     LISTEN     
    tcp        0      0 *:1066                  *:*                     LISTEN     
    tcp        0      0 *:httpproxy             *:*                     LISTEN     
    tcp        0      0 *:ssh                   *:*                     LISTEN     
    .
    .
    udp        0      0 localhost.localdoma:ntp *:*                                
    .
    .

On Solaris netstat -a | grep LIST will show up all daemons listening for TCP connections; to see all open ports, including UDP, fall back to netstat -a | less.

Thankfully, with lsof, the options for Linux and Solaris are the same:

    root> lsof -i 

    ./lsof -i
    COMMAND     PID     USER   FD   TYPE        DEVICE   SIZE/OFF NODE NAME
    inetd       325     root    4u  inet 0x30000721748        0t0  TCP *:time (LISTEN)
    inetd       325     root    5u  inet 0x30000720988        0t0  UDP *:time (Idle)
    inetd       325     root    6u  inet 0x300007208
    .
    .
    sshd2     28972     root    7u  inet 0x300043b8a30      0t240  TCP \
                               sol.umist.ac.uk:49130->ldap3.ds.man.ac.uk:ldap (ESTABLISHED)
    sshd2     28972     root    8u  inet 0x3000397f3b8      0t240 \ 
                           TCP sol.umist.ac.uk:49131->ldap3.ds.man.ac.uk:ldap (ESTABLISHED)

The third tool to use is nmap. You can use this to scan locally, i.e.,

    noddy> nmap noddy.toytown.england

but it is better to scan for a trusted host — either turn off the firewall on the suspect host temporarily, or ensure the trusted host can get through on all ports, before scanning:

    trusted> nmap noddy.toytown.england
    trusted> nmap -vv -sT -p 1-1023 noddy.toytown.england
    trusted> nmap -vvv -sU noddy.toytown.england

There are many options to nmap. Sample output:

    nmap -vvv 127.0.0.1

    Initiating Connect() Scan against \
                                    localhost.localdomain (127.0.0.1) [1663 ports] at 16:19
    Discovered open port 22/tcp on 127.0.0.1
    Discovered open port 80/tcp on 127.0.0.1
    .
    .
    The Connect() Scan took 0.12s to scan 1663 total ports.
    Host localhost.localdomain (127.0.0.1) appears to be up ... good.
    Interesting ports on localhost.localdomain (127.0.0.1):
    (The 1657 ports scanned but not shown below are in state: closed)
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http

    Nmap finished: 1 IP address (1 host up) scanned in 0.245 seconds

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple