Specifically RHEL 6.5
It's a Dev box and we have certain port ranges we are permitted for development use.
...unfortunately, getting a tech's attention to find out what ports are available is like pulling teeth. Would prefer a script or alias that does this so that we don't have to ask all the time. Clues? Is this an iptables command or is it a netstat command or some weird combo? nmap is not available on this machine.
Please don't say this is a Server Fault question. They say it's a programming question. :-|
Definitely a SF question but here we go. From the dev box itself (command line) you should be able to see what ports are in use with the netstat tool.
To see the list of listening ports both UDP and TCP, complete with the program names:
# preferably as root
netstat --listening --program --numeric-ports --protocol=ip -6 -4
From another machine, you can use nmap or a similar tool to see what ports are open/listening by scanning the IP address assigned to the dev box. Before trying this, maybe you should ask for permission. Also, you should consider that the box in question might have firewall rules in place that can thwart your scanning attempts.
To see what firewall rules are in place in the dev box try:
# as root
iptables -nvxL -t filter
# maybe there are NAT rules, redirects to other addresses, etc.
iptables -nvxL -t nat
To see what these iptables options do, try man iptables.
As an example, assuming 172.16.0.1 is the IP address assigned to the dev box, to run nmap in the simplest way possible:
# preferably as root
nmap -v 172.16.0.1
In a few minutes you should see a list of ports/services listening in that relevant box.
Try man nmap and read the documentation for more details.
If you really think this is a programming issue, you can use the netcat tool and program a simple script to do something roughly equivalent to what nmap does.
#!/bin/bash
#
# DISCLAIMER: NOT TESTED -- just an example
# NOTE: This will take many DAYS to complete
HOST=172.16.0.1
for port in `seq 1 65535`
do
echo "Trying ${port}..."
netcat -vvv ${HOST} $port -w 1 -z
done
For every open TCP port you should see a line similar to this:
Connection to 172.16.0.1 23 port [tcp/telnet] succeeded!
Related
I encounted a problem today:
When I started HDP docker container, an error occured:
listen tcp 0.0.0.0:8086: bind: address already in use
According to error message, I know that port 8086 was already in use, so I tried some commands to determine which program was using port 8086.
lsof -i:8086
lsof -i tcp:8086
lsof | grep 8086
But all of commands above make no outputs!
I felt really confused about that, after some searching on google, I tried another command:
netstat -pna | grep 8086
I got correct output from this command.
I know some differences between lsof and netstat, but I really do not know why I cannot get any output from lsof -i:8086?.
Here are some differences between two commands I searched from google:
netstat(net statistic) is connection based,it shows NW connections (udp/tcp ports), routing tables, interface, multi-cast membership, etc.
lsof(list of open files) is application based, this is kind of like netstat + ps, there you can see all accessed ports, NW connections, etc.
but lsof includes stuff like my local emacs window terminal session (tty dev/pts/n) which is not part of netstat
I faced a similar issue today. The solution was to run the lsof command with sudo privileges.
sudo lsof -i:8086
should print the desired output.
LSOF: List of Open Files. It lists all the open files belonging to all active processes.
Examples:
sudo lsof -n -i
sudo lsof -n -i4
sudo lsof -n -i :80
-n inhibits the conversion of network numbers to host names for network files. Inhibiting conversion may make lsof run faster. It is also useful when host
lookup is not working properly
-i selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files. If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed.
NETSTAT: It is a tool to get the network statistics. By default, netstat displays a list of open sockets. If you don't specify any
address families, then the active sockets of all configured address
families will be printed.
Displays the kernel routing tables:
netstat -r
Display all listening and established connection for both TCP and UDP with PID data:
netstat -plunt
Additionally, You have another command line tool to use which is SS.
SS: It is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state
information than other tools.
-plunt gives data for the TCP and UDP connections which are established and listening with process information:
sudo ss -plunt
You should be root to get proper answers to your lsof questions. Your command is fine, assuming something really is listening on that port.
As you already mentioned, lsof is a very useful command which is used to list files opened by a specific process, while netstat is a tool for monitoring network connections.
You should be able to find the PID of the process listening on port 8086 with netstat:
netstat -tunlp |grep :8086
and then use lsof to list the files used by the process:
lsof -p PID
I am trying to understand why netcat listener isn't working in my Kali Linux VM. From what I understand,I open a terminal and open the port.
nc -l 155
Then, I open another terminal within my VM and use the following command to connect to that port number.
nc 127.0.0.1 155 (loopback IP address and same port number)
It was unsuccessful and since I am just a newbie in this field, I was hoping to get some assistance on this issue. However, I found a new way to execute this command but I am not understanding the logic behind why this new way works and not the original method that I learned in class. Thank you for your help in advance!
First of all, to elevate your self from newbie status, you have to understand what errors mean. "it was unsuccessful" is an insufficient description of your results for any real debugging. Probably, what happened was a valuable clue to the issue - you should have included that information. Furthermore, you really have to get your commands in the quetsion exactly right. Don't say you did one thing, then post a screenshot of something else happening. I'm not sure what the -e is supposed to be doing, but I don't find any record of it in my osx implementation or online man pages.
Different builds or implementations of netcat could differ, but from what I'm seeing from a netcat on my osx box, -p is not the right way to specify destination port.
$ nc localhost -p 1055
nc: missing hostname and port
usage: nc [-46AacCDdEFhklMnOortUuvz] [-K tc] [-b boundif] [-i interval] [-p source_port] [--apple-delegate-pid pid] [--apple-delegate-uuid uuid]
[-s source_ip_address] [-w timeout] [-X proxy_version]
[-x proxy_address[:port]] [hostname] [port[s]]
-p specifies source port. You don't usually need to specify this. Furthermore, you can't have a source and destination of the socket on the same box on the same port. Usually source port doesn't need to be specified.
Finally, ports under 1024 can only be allocated as root. Like most linux professionals, I don't run anything as root unless I really have to, so I changed to 1055 for this demonstration. One nc each in a termina window, typing messages in one print out the other side. Observe:
$ nc -l 1055
hi world
hi yourself, world!
$ nc localhost 1055
hi world
hi yourself, world!
server: nc -l ${port} > ${file}
local: nc ${ip} -z ${port} < ${file}
:)
I'm wanting to be able to run a system command when an IPTable rule is hit, passing the IP address of the remote device to it.
I've had a look around but found nothing. I thought of grepping logs, but I'm expecting a lot of traffic..
Any help would be fantastic!
Thanks
(If it helps, Ubuntu Linux is my platform of choice)
Here is how you do it:
iptables -I FORWARD -p tcp --dport 80 -d a.b.c.d -j LOG --log-prefix="TRIGGER ME NOW !!!"
tail -f some-logfile | awk '/some-pattern/ {system("run-some-command")}'
Should be straight forward enough and should be able to deal with lots of traffic, the tail command should be quick enough... Just make sure the file doesn't grow too much.
Do it with knockd instead. You configure a port knocking sequence of just one port, then tell knockd the command you want to run. Normally it's used to add/remove iptables rules -- to open a service (e.g. ssh access) after a certain knock sequence, but I don't see why you couldn't just use it to run a command after a very simple, one packet on one expected port rule.
'apt-get install knockd' on your Ubuntu system and the man page has examples you can easily adapt to this.
it is actually easy.
we have 2 way to do this. If you use tail log then iptables will not depend on log result.
you can use NFQUEUE. Please read my article if you have time.
https://medium.com/#farizmuradov/useful-notes-about-nfqueue-80a2c271db1a
Same article I have added my linkedin page.
you can write simple router in application level and send data from iptables to listen port. In programming level you can execute scripts and send data again some port. Then you can continue by iptables.
I'm searching for a way to listen to a specific port on a specific ip and just dump all incoming data.
It has to work on linux, perferrably something that comes as debian package but if i have to compile it thats fine to.
Would be nice if the data gets stored in a mysql database, but just a file would be ok to.
Thanks!
use command
nc -l hostname 10000 > op.txt
netcat, often packaged as nc, is a great tool for such tasks.
You can always use Nmap (more advanced).
It is an utility for network exploration or security auditing...
Link: http://nmap.org/
Another tool you can use is ngrep / very similar to tcpdump but you can tell it to only listen for packets containing a certain string.
You can specify a port and source and destination IP as well
Yet another tool is tcpdump and its descendants:
sudo tshark -w /tmp/out.pcap -s 2000 -i eth0 ip host 198.51.100.99 and tcp port 80
Thanks for all your suggestions but i had to go another way...
There is a Debian Package called 'ucspi-tcp' which contains 'tcpserver'
tcpserver just listens on a port and pipes everything into a process you specify.
In my case i wrote a little script that stores the data in a mysql Database.
I am running CentOS 5 with csf firewall. I'm running a program that can't connect to another server (using some port that is blocked by csf I presume). Where is the log file for 'ports'?
Netstat is the command to use to get ports and network activity. To diagonise server processes I usually use:
netstat -tln
This yields port numbers in tcp mode listening. To identify associated processes you can also use -p to grab the pid. Here is the IANA ports list.
I found my answer right after searching a few more threads.
# tail -f /var/log/messages
Shows the UDP message but not the port.... Hmm....