Computer services and communications take place on many different port numbers.   These port numbers range from 1 to 65535 and can consist of TCP or UDP services.  Each open port on your computer presents a unique entry-point that can allow you to interact with various programs.  These same ports can also allow covert communications to take place without your knowledge.  Various techniques can be used to check and display what ports you have open on your system.  Keeping your eye on the open ports on your system can help you identify possible entry points that can be exploited to gain covert access. 

In this article we will be using multiple methods to help us identify open ports on our system.  The first command we will be using to view open ports is the netstat command.  The netstat command will only identify ports on the system you are currently using.  Netstat cannot be used to identify open ports on remote systems.  The following is output from the netstat command.

mr-oss@slackware # netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    268 192.168.1.120:ssh       mine:8126               ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  5      [ ]         DGRAM                    134      /dev/log
unix  2      [ ]         DGRAM                    1548
unix  2      [ ]         DGRAM                    283
unix  2      [ ]         DGRAM                    137

The output above contains more than just open ports.  This also lists current sockets being used by the system.  For readability purposes the socket output will be removed from the command examples throughout the rest of this article.  

mr-oss@slackware # netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    268 192.168.1.120:ssh       mine:8126               ESTABLISHED

 Analyzing this output we can see that there is one established connection to our slackware machine.  Port numbers are located after the colon that follows the ip addresses.  The connection is running on the local ip address of 192.168.1.120 and the ssh port.  The connection has been established by the computer with the hostname of mine.  The remote port on the host is 8126.  This output isn't quite as helpful as it could be using a few command line switches with netstat.  

mr-oss@slackware # netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    268 192.168.1.120:22        192.168.1.128:8126      ESTABLISHED

 The -n flag instructs the netstat command to give us numerical output which will supress dns hostname translations along with port number service translations.  Now it's easy to see what connections we have established on our system.  The remote machine 192.168.1.128 is using port 8126 to connect to our local machine 192.168.1.120 on port 22 using the tcp protocol.    However, this command is only giving us a list of established connections and not very useful for system inspection 

mr-oss@slackware # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0    284 192.168.1.120:22        192.168.1.128:8126      ESTABLISHED
udp        0      0 0.0.0.0:68              0.0.0.0:*

Now we are getting somewhere with netstat.  Adding the -a flag to our -n flag gives us numerical output of all protocols.  The first line shows a state of LISTEN.  The listen state tells us that we currently have a service running on our system that is listening for inbound connections.  The local ip address of 0.0.0.0 tells us that this service is running on all of our network interfaces.  The remote ip address of 0.0.0.0 tells us that any machine can use any port (:*) to connect to our server on port 22 using the tcp protocol.   The last  line of our output shows a udp service on the local host using port 68.  This service does not have a state listed because the udp protol is stateless and connectionless.  The udp netstat entry for port 68 appears because we obtained our ip address of 192.168.1.120 from a dhcp server.  Netstat can be found on almost any computer by default.   Netstat can be useful but it is not quite enough for a veteran administrator.  To really get down and ditry with port scanning and identification then get your hands on a copy of nmap.

Nmap can be downloaded for free at http://nmap.org/download.html.  Nmap runs on virtually every platform and is the most popular portscanner in the world.  Nmap is the swiss army knife of portscanning.  Unlike netstat which is limited to local scans only, nmap can be used to scan remote machines, local machines, and entire network ranges.  It has endless variations of command line switches that can alter its behavior drastically and allow the user to specify options such as port ranges, protocols, timing, and much more.  The following is the output we receive from nmap when scanning our local machine.

mr-oss@slackware # nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-20 04:51 CST
Interesting ports on slackware-oss.home.com (127.0.0.1):
Not shown: 1679 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.131 seconds

 This tells us what we were already told by netstat.  The localhost is listening for incoming connections for ssh on port 22.  In order to check our network interface we will have to tell nmap the ip address it is using.  The ifconfig command will tell you what interfaces you have and the ip addresses they are using.  Since we already know our ip address is 192.168.1.120 based on the output from netstat we can get to scanning.

mr-oss@slackware # nmap 192.168.1.120

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-20 04:54 CST
Interesting ports on 192.168.1.120:
Not shown: 1679 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 13.131 seconds

Note the difference in the time it takes to scan the network address compared to the time it took us to scan the localhost.  The result of the scan is the same, however, we already knew that the ssh service on port 22 was listening on every interface based on the netstat output.  One thing that is not showing up in our output is the udp port 68.  The reason this isn't being displayed is because by default, nmap will do a tcp only scan.  We have to specify udp as an option using the -sU command line flag.

mr-oss@slackware # nmap -sU -sT 192.168.1.120

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-20 05:01 CST
Interesting ports on 192.168.1.120:
Not shown: 3165 closed ports
PORT   STATE         SERVICE
22/tcp open          ssh
68/udp open|filtered dhcpc

Nmap finished: 1 IP address (1 host up) scanned in 14.412 seconds

The -sU and -sT instruct nmap to perform a udp and tcp scan on ip address 192.168.1.120.  The output shows us the existence of udp communications however the open|filtered is typical output for a stateless connection.  The output from this command is good for a quick check but it is not completely accurate.  I have started a webserver on this machine using an extremely high port number of 64000.  Nmap does not scan every possible port by default.  To make sure that you have tested every possible port on the system we will have to specify a port range using the -p flag.

mr-oss@slackware # nmap -sU -sT -p 1-65535 192.168.1.120

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-20 05:11 CST
Interesting ports on 192.168.1.120:
Not shown: 131066 closed ports
PORT      STATE         SERVICE
22/tcp    open          ssh
64000/tcp open          unknown
68/udp    open|filtered dhcpc

Nmap finished: 1 IP address (1 host up) scanned in 22.124 seconds

Now we have a complete list of all the open ports in use on the machine at 192.168.1.120.  The -p 1-65535 will encompass every possible port number and when combined with the -sU -sT flags, will display any tcp or udp services on any possible port.  Note Now that we know everything that is running on our machine lets see whats running on the remote host that is logged in using ssh.  The netstat command from earlier told us the remote host's ip address was 192.168.1.128. 

 mr-oss@slackware # nmap -O -sU -sT -p 1-65535 192.168.1.128

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-20 05:29 CST
Interesting ports on mine (192.168.1.128):
Not shown: 131053 closed ports
PORT     STATE         SERVICE
135/tcp  open          msrpc
139/tcp  open          netbios-ssn
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
1037/udp open|filtered unknown
1042/udp open|filtered unknown
1062/udp open|filtered unknown
1063/udp open|filtered unknown
1072/udp open|filtered unknown
1274/udp open|filtered unknown
1277/udp open|filtered unknown
1456/udp open|filtered dca
1457/udp open|filtered valisys-lm
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
MAC Address: 00:90:4B:XX:XX:XX (GemTek Technology Co.)
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows 2003 Server
Service Info: OS: Windows

Nmap finished: 1 IP address (1 host up) scanned in 65.983 seconds

Notice the remote scan reports the MAC Address of the remote machine and takes nearly 3 times as long to complete.   The -O flag attempts to identify the remote operating system and version.  This can be a handy flag to use when attempting to identify host machines across the network.  The last scan we will be performing is the network range scan.  

mr-oss@slackware # nmap 192.168.1.1-255

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-01-20 05:28 CST
Interesting ports on this (192.168.1.1):
Not shown: 1677 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
53/tcp open  domain
80/tcp open  http
MAC Address: 00:40:10:xx:xx:xx (Sonic Systems)

Interesting ports on 192.168.1.120:
Not shown: 1679 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Interesting ports on mine (192.168.1.128):
Not shown: 1678 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
MAC Address: 00:90:4B:xx:xx:xx (GemTek Technology Co.)

Interesting ports on 192.168.1.253:
Not shown: 1678 closed ports
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  UPnP
MAC Address: 00:80:F0:xx:xx:xx (Panasonic Communications Co.)

This scan has spanned the entire network range from 192.168.1.1 to 192.168.1.254 and reported every live host that it was able to find.  This technique can be handy when trying to find other computers or performing network-wide system audits.

This concludes our introduction to portscanning and identification.  Hopefully you now have a solid fundamental understanding of the techniques and methods used to identify open ports on computer systems.  I highly recommend checking out the man pages for both netstat and nmap.  There are endless combinations of command line flags that can be utilized to do amazing things.  Also, take a look at the /etc/services file on your linux system.  This file attempts to match up services to the port numbers they typically use. Check back soon for the advanced port scanning tutorial.