8383883

Sample article: How to Scan for Open Ports in Linux

Open ports often pose a possible security threat to the system. It is essential to keep open ports to a bare minimum by scanning all the possible TCP and UDP ports.

System administrators and hackers often use this process to check the availability of open ports. Before starting with the part scan, make sure that it is not against the law in the country as some countries consider it illegal.

This article discusses various ways in which open ports can be checked from the Linux command line.

What is a Port?

A port is a 16-bit number ranging from 0 to 65535. The following list shows several categories of ports:

  • Well known Ports (0 to 1023) 
  • Registered Ports (1024 to 49151)
  • Dynamic Ports (49152 through 65535)

There are various well known universal ports, out of which few are listed below:

  • 20: FTP data
  • 22: SSH
  • 53: DNS services
  • 80: HTTP – Unencrypted Web traffic
  • 143: IMAP mail port
  • 443: HTTPS – Secure web traffic
  • 587: SMTP – message submission port

To get the list of ports on the system, execute the following command. The common parts are found in /etc/services file.

$ sudo less /etc/services

What is an Open Port?

An open port is a port that is ready to listen to incoming traffic from the outside locations. For instance, if a web service listens to ports 80 and 443, and both of these are open, then anyone from the remote location can easily access the websites hosted on that web server. 

Open ports are a security risk to an organization. These can be exploited easily by attackers and can be vulnerable. To decrease the risk, all ports must be closed except for the ones needed for functionality. 

Scanning for Open Ports in Linux

Method 1: Nmap

Nmap is the most important tool to listen to  open ports. It is the most diverse tool as it can also be used for vulnerability assessment and fingerprinting operating systems. Nmap also has a GUI called Zenmap. 

  1. Nmap can be installed using either apt, yum, or dnf package depending on the Linux distribution. 

$ sudo apt install nmap

$ sudo dnf install nmap

$ sudo yum install nmap

  1. After installation, run the following command to get a complete list. The execution might take slightly longer.

$ sudo nmap -n -PN -sT -sU -p- localhost

  1. To scan the particular host on the Nmap, type the command with the hostname, and this will list the open ports and services.

$ sudo nmap dsu.edu.pk

The command will show the output similar to the one given below:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-14 07:20 UTC

Nmap scan report for dsu.edu.pk (35.236.144.210)

Host is up (0.0063s latency).

rDNS record for 35.236.144.210: 210.144.236.35.bc.googleusercontent.com

Not shown: 996 filtered ports

PORT     STATE  SERVICE

22/tcp   open   ssh

80/tcp   open   http

443/tcp  open   https

3389/tcp closed ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 91.05 seconds

  1. To scan for UDP ports, use -sU flag with the nmap command. This might require root privilege. Apart from these flags, some commonly used flags are:
  • -p- : Scan for all ports
  • -sT : TCP scan
  • -O: Scans for the running operating system 
  • -T[1-5]: Sets the scanning speed

Method 2: Netstat

Netstat is a widely used command to print all the open ports in Linux systems. To use netstat, run the following command in the terminal:

$ sudo netstat -ltup

Netstat can also be used with the grep command to identify which application is listening to which port. It is also used to find what applications are tied to a particular port. 

To only listen to open ports using netstat, type and execute the following command:

$ sudo netstat -tulpn | grep LISTEN

Metho 3: ss

Like netstat, the ss command is used to display open ports in a system. Execute the command given below to view open ports using ss:

$ sudo ss -lntup

Method 4: lsof

This command lists all open files. Since Linux treats everything as a file, this command could scan for an open stream or a network file. Run the command as:

$ sudo lsof -i

$ sudo lsof -i -P -n | grep LISTEN

The grep command will show only those ports that are in the LISTEN state. 

Method 5: Netcat

  1. Netcat is a port writer used to scan TCP and UDP ports. To install Netcat, type:

$ sudo apt install netcat-traditional -y

  1. To scan using Netcat, type the keyword nc with domain and port number. 

$ sudo nc -z -v dsu.edu.pk 80

  1. Executing the command will display the output similar to this: 

dsu.edu.pk [35.236.144.210] 80 (http) open

  1. Netcat can also be used with a range of port numbers:

$ sudo nc -z -v 35.236.144.210 20-80

The output will look something like this (if the domain is personal):

nc: connect to 10.9.8.8 port 20 (tcp) failed: Connection refused

nc: connect to 10.9.8.8 port 21 (tcp) failed: Connection refused

Connection to 10.9.8.8 22 port [tcp/ssh] succeeded!

Connection to 10.9.8.8 80 port [tcp/http] succeeded!

Otherwise, it will keep on waiting for the connection like the image given below:

Method 6: Unicornscan

Unicornscan is a tool designed to scan network vulnerabilities. It provides various comprehensive features as compared to Nmap. Just like Nmap, it needs to be installed first. 

  1. To install Unicornscan, execute the command given below:

$ sudo apt-get install unicornscan -y

  1. And then run using the keyword with IP address.

$ sudo unicornscan -v -I 192.168.1.102

Scanning for open ports is equally essential for security administrators, developers, security experts, and gamers. This article discussed various ways in which the open ports in Linux can be checked. No single command is more perfect than the other. All of them are equally useful and provide the required information. The users can use it as per their needs.