文章目录
- lsof
- ss
- Nmap
- 扫描公网主机
linux_端口占用扫描port scan
How to check if port is in use on Linux or Unix - nixCraft (cyberciti.biz)
- Run any one of the following command on Linux to see open ports:
sudo lsof -i -P -n | grep LISTEN
sudo netstat -tulpn | grep LISTEN
sudo ss -tulpn | grep LISTEN
sudo lsof -i:22 ## see a specific port such as 22 ##
sudo nmap -sTU -O IP-address-Here
lsof
lsof (8) - list open files
root权限
如果不用root权限,那么扫描结果将为空!
Description :
An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet
socket, NFS file or UNIX domain socket.) A specific file or all the files in a file system may be selected by path.
Instead of a formatted display, lsof will produce output that can be parsed by other programs. See the -F, option description, and the OUTPUT FOR OTHER PROGRAMS section for
more information.
In addition to producing a single output list, lsof will run in repeat mode. In repeat mode it will produce output, delay, then repeat the output operation until stopped with
an interrupt or quit signal. See the +|-r [t[m<fmt>]] option description for more information.
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 09:54:45]
└─[0] <git:(main 881ac45✱✈) > manly lsof -iPn
lsof - list open files
======================
-i [i] selects the listing of files any of whose Internet address
matches the address specified in i. If no address is speci‐
fied, this option selects the listing of all Internet and x.25
(HP-UX) network files.
-i6 - IPv6 only
TCP:25 - TCP and port 25
@1.2.3.4 - Internet IPv4 host address 1.2.3.4
@[3ffe:1ebc::1]:1234 - Internet IPv6 host address
3ffe:1ebc::1, port 1234
UDP:who - UDP who service port
TCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap
tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10,
service name smtp, port 99, host name foo
tcp@bar:1-smtp - TCP, ports 1 through smtp, host bar
:time - either TCP, UDP or UDPLITE time service port
-n inhibits the conversion of network numbers to host names for
network files. Inhibiting conversion may make lsof run
faster. It is also useful when host name lookup is not work‐
ing properly.
-P inhibits the conversion of port numbers to port names for net‐
work files. Inhibiting the conversion may make lsof run a
little faster. It is also useful when port name lookup is not
working properly.
-iTCP -sTCP:LISTEN
-iUDP -sUDP:Idle
example
lsof & grep
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 09:58:06]
└─[0] <git:(main 881ac45✱✈) > sudo lsof -i -P -n |grep 9000
webhook 15407 root 3u IPv6 21727403 0t0 TCP *:9000 (LISTEN)
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 09:58:34]
└─[0] <git:(main 881ac45✱✈) > sudo lsof -i -P -n |grep 3306
mysqld 1795 mysql 21u IPv6 36196 0t0 TCP *:33060 (LISTEN)
mysqld 1795 mysql 37u IPv6 36376 0t0 TCP *:3306 (LISTEN)
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 10:01:50]
└─[1] <git:(main 881ac45✱✈) > sudo lsof -i -P -n |grep AliYun
AliYunDun 1806 root 17u IPv4 25221 0t0 TCP 172.16.27.115:33784->100.100.30.25:80 (ESTABLISHED)
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 10:01:57]
└─[0] <git:(main 881ac45✱✈) > sudo lsof -i -P -n |grep sshd
sshd 828 root 3u IPv4 20786 0t0 TCP *:22 (LISTEN)
sshd 13847 root 3u IPv4 21719320 0t0 TCP 172.16.27.115:22->223.104.160.95:24743 (ESTABLISHED)
sshd 13868 cxxu 3u IPv4 21719320 0t0 TCP 172.16.27.115:22->223.104.160.95:24743 (ESTABLISHED)
sshd 13899 root 3u IPv4 21720007 0t0 TCP 172.16.27.115:22->223.104.160.95:24744 (ESTABLISHED)
sshd 13920 cxxu 3u IPv4 21720007 0t0 TCP 172.16.27.115:22->223.104.160.95:24744 (ESTABLISHED)
- sshdis the name of the application.
- 172.xxx or (*: for all ip)is the IP address to which sshd application bind to (LISTEN)
- 22is the TCP port that is being used (LISTEN)
- 85379is the process ID of the sshd process
more examples
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:26:59]
└─[0] <> egs lsof
No entry found for lsof. Run `eg --list` to see all available entries.
# To list all IPv4 network files:
sudo lsof -i4
# To list all IPv6 network files:
sudo lsof -i6
# To list all open sockets:
lsof -i
# To list all listening ports:
lsof -Pnl +M -i4
# To find which program is using the port 80:
lsof -i TCP:80
# To list all connections to a specific host:
lsof -i@192.168.1.5
# To list all processes accessing a particular file/directory:
lsof <path>
# To list all files open for a particular user:
lsof -u <username>
# To list all files/network connections a command is using:
lsof -c <command>
# To list all files a process has open:
lsof -p <pid>
# To list all files open mounted at /mount/point:
# (Particularly useful for finding which process(es) are using a mounted USB stick or CD/DVD.)
lsof +f -- <mount-point>
Cache is out of date. You should run "tldr --update"
lsof
Lists open files and the corresponding processes.
Note: Root privileges (or sudo) is required to list files opened by others.
More information: https://manned.org/lsof.
- Find the processes that have a given file open:
lsof path/to/file
- Find the process that opened a local internet port:
lsof -i :port
- Only output the process ID (PID):
lsof -t path/to/file
- List files opened by the given user:
lsof -u username
- List files opened by the given command or process:
lsof -c process_or_command_name
- List files opened by a specific process, given its PID:
lsof -p PID
- List open files in a directory:
lsof +D path/to/directory
- Find the process that is listening on a local IPv6 TCP port and don't convert network or port numbers:
lsof -i6TCP:port -sTCP:LISTEN -n -P
netstat&ss
ss &netstat不需要root权限,就可以返回结果
netstat
- 主要用法
NAME
netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast membershipsDESCRIPTION
Netstat prints information about the Linux networking subsystem.The type of information printed is controlled by the first argument, as follows:
(none)
By default, netstat displays a list of open sockets. If you don’t specify any address families, then the active sockets of all configured address families will be printed.–route, -r
Display the kernel routing tables. See the description in route(8) for details. netstat -r and route -e produce the same output.–groups, -g
Display multicast group membership information for IPv4 and IPv6.–interfaces, -i
Display a table of all network interfaces.–masquerade, -M
Display a list of masqueraded connections.–statistics, -s
Display summary statistics for each protocol.
- The netstat command deprecated for some time on Linux.
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 10:10:55]
└─[0] <git:(main 881ac45✱✈) > manly netstat -tulpn
netstat - Print network connections, routing tables, interface statis‐
=======================================================================
--numeric,-n
Show numerical addresses instead of trying to determine symbolic host,
port or user names.
-p, --program
Show the PID and name of the program to which each socket belongs.
-l, --listening
Show only listening sockets. (These are omitted by default.)
examples
- 检查9000端口的情况
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:23:10]
└─[0] <> netstat -tulpn | grep 9000
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp6 0 0 :::9000 :::* LISTEN -
ss
The netstat command deprecated for some time on Linux. Therefore, you need to use the ss command as follows:
sudo ss -tulw
sudo ss -tulwn
sudo ss -tulwn | grep LISTEN
NAME
ss - another utility to investigate socketsSYNOPSIS
ss [options] [ FILTER ]DESCRIPTION
ss is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state informations than other tools.
-
sudo ss -tulwn
└─[130] <git:(main 881ac45✱✈) > manly ss -tulwn
ss - another utility to investigate sockets
===========================================
-n, --numeric
Do not try to resolve service names.
-l, --listening
Display only listening sockets (these are omitted by default).
-t, --tcp
Display TCP sockets.
-u, --udp
Display UDP sockets.
-w, --raw
Display RAW sockets.
examples
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 10:15:07]
└─[0] <git:(main 881ac45✱✈) > ss -tulw
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
icmp6 UNCONN 0 0 *%eth0:ipv6-icmp *:*
udp UNCONN 0 0 0.0.0.0:ipp 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:34571 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 172.16.27.115%eth0:bootpc 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:mdns 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::]:46213 [::]:*
udp UNCONN 0 0 [::]:mdns [::]:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 127.0.0.1:42305 0.0.0.0:*
tcp LISTEN 0 10 127.0.0.1:dict 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:http 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 0 5 127.0.0.1:ipp 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:postgresql 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:888 0.0.0.0:*
tcp LISTEN 0 10 0.0.0.0:8000 0.0.0.0:*
tcp LISTEN 0 70 *:33060 *:*
tcp LISTEN 0 128 *:9000 *:*
tcp LISTEN 0 128 *:mysql *:*
tcp LISTEN 0 5 [::1]:ipp [::]:*
tcp LISTEN 0 128 [::1]:postgresql [::]:*
more examples
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:39:28]
└─[130] <> egs ss
No entry found for ss. Run `eg --list` to see all available entries.
Args
-4/-6 list ipv4/ipv6 sockets
-n numeric addresses instead of hostnames
-l list listing sockets
-u/-t/-x list udp/tcp/unix sockets
-p Show process(es) that using socket
# show all listening tcp sockets including the corresponding process
ss -tlp
# show all sockets connecting to 192.168.2.1 on port 80
ss -t dst 192.168.2.1:80
# show all ssh related connection
ss -t state established '( dport = :ssh or sport = :ssh )'
ss
Utility to investigate sockets.
More information: https://manned.org/ss.8.
- Show all TCP/UDP/RAW/UNIX sockets:
ss -a -t|-u|-w|-x
- Filter TCP sockets by states, only/exclude:
ss state/exclude bucket/big/connected/synchronized/...
- Show all TCP sockets connected to the local HTTPS port (443):
ss -t src :443
- Show all TCP sockets listening on the local 8080 port:
ss -lt src :8080
- Show all TCP sockets along with processes connected to a remote ssh port:
ss -pt dst :ssh
- Show all UDP sockets connected on specific source and destination ports:
ss -u 'sport == :source_port and dport == :destination_port'
- Show all TCP IPv4 sockets locally connected on the subnet 192.168.0.0/16:
ss -4t src 192.168/16
Nmap
nmap - Network exploration tool and security / port scanner
DESCRIPTION
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against
single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are
offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is
commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and
monitoring host or service uptime.The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports
table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on
the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap
cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when
they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it
cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP
protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC
addresses.
A typical Nmap scan is shown in Example 1. The only Nmap arguments used in this example are -A, to enable OS and version detection, script scanning, and traceroute; -T4 for
faster execution; and then the hostname.
-
sudo apt install Nmap(系统可能不自带该命令)
example
Nmap&本地主机
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:05:49]
└─[0] <> sudo nmap -sT -O localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2022-06-06 09:07 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000063s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
888/tcp open accessbuilder
3306/tcp open mysql
5432/tcp open postgresql
8000/tcp open http-alt
9000/tcp open cslistener
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds
#UDP&TCP
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:16:30]
└─[1] <> sudo nmap -sTU -O localhost
Starting Nmap 7.60 ( https://nmap.org ) at 2022-06-06 09:16 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000061s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 1990 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
888/tcp open accessbuilder
3306/tcp open mysql
5432/tcp open postgresql
8000/tcp open http-alt
9000/tcp open cslistener
631/udp open|filtered ipp
5353/udp open|filtered zeroconf
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds
扫描公网主机
- 主机ip做了混淆
- 扫描速度较慢
Nmap & domain
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:17:36]
└─[0] <> sudo nmap -sTU -O www.baidu.com
Starting Nmap 7.60 ( https://nmap.org ) at 2022-06-06 09:22 CST
Nmap scan report for www.baidu.com (110.242.68.3)
Host is up (0.015s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.4
Not shown: 1000 open|filtered ports, 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|proxy server
Running (JUST GUESSING): AVtech embedded (88%), Blue Coat embedded (86%)
OS CPE: cpe:/h:bluecoat:packetshaper
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (88%), Blue Coat PacketShaper appliance (86%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.87 seconds
Nmap&ip
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:16:41]
└─[0] <> sudo nmap -sTU -O 123.56.172.67
Starting Nmap 7.60 ( https://nmap.org ) at 2022-06-06 09:17 CST
Nmap scan report for 123.56.172.67
Host is up (0.0031s latency).
Not shown: 1000 open|filtered ports, 937 filtered ports, 57 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
888/tcp open accessbuilder
3306/tcp open mysql
8000/tcp open http-alt
9000/tcp open cslistener
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=6/6%OT=22%CT=3389%CU=%PV=N%G=Y%TM=629D55B0%P=x86_64-pc
OS:-linux-gnu)SEQ(SP=107%GCD=1%ISR=109%TI=Z%CI=Z%TS=A)SEQ(SP=107%GCD=1%ISR=
OS:109%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW
OS:7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%
OS:W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%TG=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T
OS:1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=N%TG=40%CD=S)
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.13 seconds
- 可以使用grep过滤
more exampls
┌─[cxxu@cxxuAli] - [~] - [2022-06-06 09:39:34]
└─[0] <> egs nmap
No entry found for nmap. Run `eg --list` to see all available entries.
# Single target scan:
nmap [target]
# Scan from a list of targets:
nmap -iL [list.txt]
# iPv6:
nmap -6 [target]
# OS detection:
nmap -O --osscan_guess [target]
# Save output to text file:
nmap -oN [output.txt] [target]
# Save output to xml file:
nmap -oX [output.xml] [target]
# Scan a specific port:
nmap -source-port [port] [target]
# Do an aggressive scan:
nmap -A [target]
# Speedup your scan:
# -n => disable ReverseDNS
# --min-rate=X => min X packets / sec
nmap -T5 --min-parallelism=50 -n --min-rate=300 [target]
# Traceroute:
nmap -traceroute [target]
# Ping scan only: -sP
# Don't ping: -PN <- Use full if a host don't reply to a ping.
# TCP SYN ping: -PS
# TCP ACK ping: -PA
# UDP ping: -PU
# ARP ping: -PR
# Example: Ping scan all machines on a class C network
nmap -sP 192.168.0.0/24
# Force TCP scan: -sT
# Force UDP scan: -sU
# Use some script:
nmap --script default,safe
# Loads the script in the default category, the banner script, and all .nse files in the directory /home/user/customscripts.
nmap --script default,banner,/home/user/customscripts
# Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy.
nmap --script 'http-*'
# Loads every script except for those in the intrusive category.
nmap --script "not intrusive"
# Loads those scripts that are in both the default and safe categories.
nmap --script "default and safe"
# Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-.
nmap --script "(default or safe or intrusive) and not http-*"
# Scan for the heartbleed
# -pT:443 => Scan only port 443 with TCP (T:)
nmap -T5 --min-parallelism=50 -n --script "ssl-heartbleed" -pT:443 127.0.0.1
# Show all informations (debug mode)
nmap -d ...
# Scan for available SSH connections (use root for additional output)
nmap -p 22 192.168.0.0/24
## Port Status Information
- Open: This indicates that an application is listening for connections on this port.
- Closed: This indicates that the probes were received but there is no application listening on this port.
- Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.
- Unfiltered: This indicates that the probes were received but a state could not be established.
- Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
- Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.
## Additional Scan Types
nmap -sn: Probe only (host discovery, not port scan)
nmap -sS: SYN Scan
nmap -sT: TCP Connect Scan
nmap -sU: UDP Scan
nmap -sV: Version Scan
nmap -O: Used for OS Detection/fingerprinting
nmap --scanflags: Sets custom list of TCP using `URG ACK PSH RST SYN FIN` in any order
### Nmap Scripting Engine Categories
The most common Nmap scripting engine categories:
- auth: Utilize credentials or bypass authentication on target hosts.
- broadcast: Discover hosts not included on command line by broadcasting on local network.
- brute: Attempt to guess passwords on target systems, for a variety of protocols, including http, SNMP, IAX, MySQL, VNC, etc.
- default: Scripts run automatically when -sC or -A are used.
- discovery: Try to learn more information about target hosts through public sources of information, SNMP, directory services, and more.
- dos: May cause denial of service conditions in target hosts.
- exploit: Attempt to exploit target systems.
- external: Interact with third-party systems not included in target list.
- fuzzer: Send unexpected input in network protocol fields.
- intrusive: May crash target, consume excessive resources, or otherwise impact target machines in a malicious fashion.
- malware: Look for signs of malware infection on the target hosts.
- safe: Designed not to impact target in a negative fashion.
- version: Measure the version of software or protocols on the target hosts.
- vul: Measure whether target systems have a known vulnerability.
Viewing the Internet network services list(查看常用端口介绍)
- The /etc/services is a text file mapping betweenhuman-friendly textual namesfor internet services andtheir underlying assignedport numbers and protocol types.
- Use thecat command ormore command/less command to view it:
- 获取帮助
man services
-
services - Internet network services list
┌─[cxxu@cxxuAli] - [~/djangoProjs] - [2022-06-05 10:08:20]
└─[0] <git:(main 881ac45✱✈) > man services
└─[1] <git:(main 881ac45✱✈) > bat /etc/services|grep ssh
ssh 22/tcp # SSH Remote Login Protocol
