When we covered port scanning a short while ago we discovered how to tell which ports had processes listening upon them, via port scanning. What we didn't do was learn how to tell which processes were associated with each open port.

Often you'll know which applications are going to be using a particular port, because it's the standard one, or because you know you set it up.

For example when you see something listening upon port 25 you tend to expect it to be a mailserver, and similarly if you find something listening on port 80 you'll not be suprised to discover it's a webserver.

Sometimes though these assumptions can be mistaken, and other times you'll discover an open port which you simply don't recognise. If you're examing a machine you're not sure you trust fully it's worth checking exactly which processes are really running.

As we noted in the the introduction to port scanning with nmap you can lookup which service uses any of the "standard" ports by referring to the file /etc/services.

For example we can open that file in our favourite editor, or pager, and see that port 43/tcp is associated with "whois", and that port 53 is associated with DNS.

These don't help you much if you have a service which has had it's default port changed - something some people suggest you do as a means of increasing security. (Personally I believe such misdirection is misguided at best, and counter-productive at worst).

What you really need to do is to lookup the process which is currently bound to the given network port. Thankfully this is a simple job with use of the lsof package.

If you don't have lsof already you can download and install it by becoming root and running:

root@mystery:~# apt-get install lsof

This will download and install the package for you, along with any dependencies which might be required:

Reading package lists... Done

Building dependency tree... Done

The following NEW packages will be installed:

  lsof

0 upgraded, 1 newly installed, 0 to remove and 16 not upgraded.

Need to get 339kB of archives.

After unpacking 549kB of additional disk space will be used.

Get:1 http://http.us.debian.org unstable/main lsof 4.75.dfsg.1-1 [339kB]

Fetched 339kB in 3s (90.8kB/s)

Selecting previously deselected package lsof.

(Reading database ... 69882 files and directories currently installed.)

Unpacking lsof (from .../lsof_4.75.dfsg.1-1_i386.deb) ...

Setting up lsof (4.75.dfsg.1-1) ...

Once you have the package installed you can now discover precisely which processes are bound upon particular ports.

If you have the Apache webserver running on port 80 that will provide a suitable test candidate. If not you can choose another port you know is in use.

To discover the process name, ID (pid), and other details you need to run:

lsof -i :port

So to see which process is listening upon port 80 we can run:

root@mystery:~# lsof -i :80

This gives us the following output:

COMMAND   PID     USER   FD   TYPE   DEVICE SIZE NODE NAME

apache2 10437     root    3u  IPv6 22890556       TCP *:www (LISTEN)

apache2 10438 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

apache2 10439 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

apache2 10440 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

apache2 10441 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

apache2 10442 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

apache2 25966 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

apache2 25968 www-data    3u  IPv6 22890556       TCP *:www (LISTEN)

Here you can see the command running (apache2), the username it is running as www-data, and some other details.

Similarly we can see which process is bound to port 22:

root@mystery:~# lsof -i :22

COMMAND   PID USER   FD   TYPE   DEVICE SIZE NODE NAME

sshd     8936 root    3u  IPv6 12161280       TCP *:ssh (LISTEN)

To see all the ports open for listening upon the current host you can use another command netstat (contained in the net-tools package):

root@mystery:~# netstat -a |grep LISTEN |grep -v unix

tcp        0      0 *:2049                  *:*                     LISTEN

tcp        0      0 *:743                   *:*                     LISTEN

tcp        0      0 localhost.localdo:mysql *:*                     LISTEN

tcp        0      0 *:5900                  *:*                     LISTEN

tcp        0      0 localhost.locald:sunrpc *:*                     LISTEN

tcp        0      0 *:8888                  *:*                     LISTEN

tcp        0      0 localhost.localdom:smtp *:*                     LISTEN

tcp6       0      0 *:www                   *:*                     LISTEN

tcp6       0      0 *:distcc                *:*                     LISTEN

tcp6       0      0 *:ssh                   *:*                     LISTEN

Here you can see that there are processes listening upon ports 2049, 743, 5900, and several others.

(The second grep we used above was to ignore Unix domain sockets).

If you're curious to see which programs and services are used in those sockets you can look them up as we've already shown:

root@mystery:~# lsof -i :8888

COMMAND   PID    USER   FD   TYPE   DEVICE SIZE NODE NAME

gnump3d 25834 gnump3d    3u  IPv4 61035200       TCP *:8888 (LISTEN)

This tells us that the process bound to port 8888 is the gnump3d MP3 streamer.

Port 2049 and 743 are both associated with NFS. The rest can be tracked down in a similar manner. (You'll notice that some ports actually have their service names printed next to them, such as the smtp entry for port 25).

lsof is a very powerful tool which can be used for lots of jobs. If you're unfamiliar with it I recommend reading the manpage via:

man lsof

If you do so you'll discover that the -i flag can take multiple different types of arguments, to allow you to check more than one port at a time, and use IPv6 addresses too.

It's often used to see which files are open upon mounted devices, so you can kill the processes and unmount them cleanly.

最新文章

  1. centos安装nodejs
  2. 在此为LCT开一个永久的坑
  3. Eclipse 的 Debug 介绍与技巧【转载】
  4. java web 之 web.xml篇
  5. leetcode:Count and Say
  6. OWIN学习
  7. WIN32和Kernel)直接读写硬盘扇区
  8. python 代码格式化工具:pep8ify
  9. 安装 zabbix 时遇到的一个问题
  10. [算法题] 3Sum Closest
  11. Quartz学习——SSMM(Spring+SpringMVC+Mybatis+Mysql)和Quartz集成详解(四)
  12. 532. K-diff Pairs in an Array
  13. 006_netstat中state详解
  14. [转]Mysql 存储过程和函数区别
  15. [转]skynet Lua中的协程
  16. Library Publication 时遇到 "more than one library with package name" 错误的解决方法
  17. 随机模拟MCMC和Gibbs Sampling
  18. 041——VUE中组件之pros数据的多种验证机制实例详解
  19. 在JavaScript中进行文件处理,第三部分:处理事件和错误
  20. 阿里C++研发实习二面和三面面经

热门文章

  1. 【LeetCode】111. Minimum Depth of Binary Tree 解题报告(Python)
  2. 【LeetCode】904. Fruit Into Baskets 解题报告(Python)
  3. 【LeetCode】300. Longest Increasing Subsequence 解题报告(Python & C++)
  4. 1065 - Number Sequence &&1070 - Algebraic Problem
  5. BZOJ 1857: [Scoi2010]传送带(三分套三分)
  6. [炼丹术]使用Pytorch搭建模型的步骤及教程
  7. C++string字符串截取其中元素 截取定位字符串
  8. Vue.js高效前端开发 • 【Vue列表渲染】
  9. C# 绘制印章
  10. 分布式链路追踪自从用了SkyWalking,睡得真香!