Sample article: How to Scan for Open Ports in Linux
Open ports often pose a possible security threat to the system. It is essential to keep open ports to a bare minimum by scanning all the possible TCP and UDP ports.
System administrators and hackers often use this process to check the availability of open ports. Before starting with the part scan, make sure that it is not against the law in the country as some countries consider it illegal.
This article discusses various ways in which open ports can be checked from the Linux command line.
What is a Port?
A port is a 16-bit number ranging from 0 to 65535. The following list shows several categories of ports:
- Well known Ports (0 to 1023)
- Registered Ports (1024 to 49151)
- Dynamic Ports (49152 through 65535)
There are various well known universal ports, out of which few are listed below:
- 20: FTP data
- 22: SSH
- 53: DNS services
- 80: HTTP – Unencrypted Web traffic
- 143: IMAP mail port
- 443: HTTPS – Secure web traffic
- 587: SMTP – message submission port
To get the list of ports on the system, execute the following command. The common parts are found in /etc/services file.
$ sudo less /etc/services
What is an Open Port?
An open port is a port that is ready to listen to incoming traffic from the outside locations. For instance, if a web service listens to ports 80 and 443, and both of these are open, then anyone from the remote location can easily access the websites hosted on that web server.
Open ports are a security risk to an organization. These can be exploited easily by attackers and can be vulnerable. To decrease the risk, all ports must be closed except for the ones needed for functionality.
Scanning for Open Ports in Linux
Method 1: Nmap
Nmap is the most important tool to listen to open ports. It is the most diverse tool as it can also be used for vulnerability assessment and fingerprinting operating systems. Nmap also has a GUI called Zenmap.
- Nmap can be installed using either apt, yum, or dnf package depending on the Linux distribution.
$ sudo apt install nmap
$ sudo dnf install nmap
$ sudo yum install nmap
- After installation, run the following command to get a complete list. The execution might take slightly longer.
$ sudo nmap -n -PN -sT -sU -p- localhost
- To scan the particular host on the Nmap, type the command with the hostname, and this will list the open ports and services.
$ sudo nmap dsu.edu.pk
The command will show the output similar to the one given below:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-14 07:20 UTC
Nmap scan report for dsu.edu.pk (35.236.144.210)
Host is up (0.0063s latency).
rDNS record for 35.236.144.210: 210.144.236.35.bc.googleusercontent.com
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 91.05 seconds
- To scan for UDP ports, use -sU flag with the nmap command. This might require root privilege. Apart from these flags, some commonly used flags are:
- -p- : Scan for all ports
- -sT : TCP scan
- -O: Scans for the running operating system
- -T[1-5]: Sets the scanning speed
Method 2: Netstat
Netstat is a widely used command to print all the open ports in Linux systems. To use netstat, run the following command in the terminal:
$ sudo netstat -ltup
Netstat can also be used with the grep command to identify which application is listening to which port. It is also used to find what applications are tied to a particular port.
To only listen to open ports using netstat, type and execute the following command:
$ sudo netstat -tulpn | grep LISTEN
Metho 3: ss
Like netstat, the ss command is used to display open ports in a system. Execute the command given below to view open ports using ss:
$ sudo ss -lntup
Method 4: lsof
This command lists all open files. Since Linux treats everything as a file, this command could scan for an open stream or a network file. Run the command as:
$ sudo lsof -i
$ sudo lsof -i -P -n | grep LISTEN
The grep command will show only those ports that are in the LISTEN state.
Method 5: Netcat
- Netcat is a port writer used to scan TCP and UDP ports. To install Netcat, type:
$ sudo apt install netcat-traditional -y
- To scan using Netcat, type the keyword nc with domain and port number.
$ sudo nc -z -v dsu.edu.pk 80
- Executing the command will display the output similar to this:
dsu.edu.pk [35.236.144.210] 80 (http) open
- Netcat can also be used with a range of port numbers:
$ sudo nc -z -v 35.236.144.210 20-80
The output will look something like this (if the domain is personal):
nc: connect to 10.9.8.8 port 20 (tcp) failed: Connection refused
nc: connect to 10.9.8.8 port 21 (tcp) failed: Connection refused
Connection to 10.9.8.8 22 port [tcp/ssh] succeeded!
…
Connection to 10.9.8.8 80 port [tcp/http] succeeded!
Otherwise, it will keep on waiting for the connection like the image given below:
Method 6: Unicornscan
Unicornscan is a tool designed to scan network vulnerabilities. It provides various comprehensive features as compared to Nmap. Just like Nmap, it needs to be installed first.
- To install Unicornscan, execute the command given below:
$ sudo apt-get install unicornscan -y
- And then run using the keyword with IP address.
$ sudo unicornscan -v -I 192.168.1.102
Scanning for open ports is equally essential for security administrators, developers, security experts, and gamers. This article discussed various ways in which the open ports in Linux can be checked. No single command is more perfect than the other. All of them are equally useful and provide the required information. The users can use it as per their needs.