Editor’s note on June 4, 2015: Chad Perrin’s April 2008 article about tools for listing active services and open ports is still one of our most popular articles, so we asked Jack Wallen to write a 2015 update on the topic. Chad’s original article appears directly after Jack’s update.

One of the biggest headaches for network administrators is open ports on devices. Unless you manually installed the operating system on every device on your network, ensuring to close down all unessential ports, you run the risk of attack.

The ports you should disable will vary by system and may even be dictated by the needs of specialized software (for instance, QuickBooks requires specific ports — determined by release — in order to function). You need to come up with a list of ports that either can or must remain open. Once you have that list, you can set about closing up shop on those machines.

But how do you know which machines have which ports open? Sure, you could go around to every machine on your network, open whatever is being used as a firewall, and manually make sure all necessary ports are open and all unnecessary ports are closed.

Or, you can scan the network and find out which machines have which ports open. When you know the location of open ports, you can check that information against your master list and close everything that is necessary. Now comes the tricky part.

How to run a port scan

How do you find out which machine has which port open? You run a port scan. In case you don’t know how to run a port scan, I’ll walk you through the process.

I’m using a Linux machine for the scan. Why? Because Linux has great scanning tools that are ready for the task, free, and easy to use.

If you don’t have a machine with Linux running on it, worry not — you can download a network penetration live distribution such as Kali Linux, burn the ISO onto a CD or USB flash drive, and boot a machine into a live instance of Linux (no changes will be made to the machine being used, as the live instance is run completely from RAM). With the live instance up and running, you’ll have an amazing assortment of network forensic/analysis tools at your disposal.

The port scanning tool you should use

The best tool for port scanning is Nmap. If you don’t want to monkey around with the command line, there’s an outstanding GUI front end called Zenmap, which is available for Linux, Windows, and Mac. If you don’t want to bother with Linux, you can install it on Windows. (Nmap is far more powerful than the Windows built-in network scanning tools.) Nmap and Zenmap work identically across platforms, so when you know how to use the tool on one platform, you can use it on all of the platforms.

After Zenmap is installed, you are ready to run a full port scan on your network. The size of your network will dictate the time it takes to run the scan. With Zenmap, you can run very general and very specific scans. Let’s first run a very general scan to get an idea of what we’re dealing with. We’ll run a scan on an entire 192.168.1.x network.

  1. Open Zenmap.
  2. In the Target section, enter 192.168.1.1/24 (or, however large you need to scale).
  3. From the Profile, select Intense Scan.
  4. Click the Scan button.

You should immediately see results populate the Nmap Output tab; the results display open ports on machines within your network (Figure A). The intense scan can take a long time, but if you want the most information about your network, it’s the way to go.

Figure A

Once the scan is complete, you will see a list of all devices found on the network in the left pane. Click one of the devices, scroll through the Nmap Output, and look for sections that list Port, State, and Service (Figure B).

Figure B

If you don’t have time to comb through the scan, you can always save it and view it (using Zenmap) at a later time. To save the scan, go to Scan | Save Scan, give it a name, and click Save.

For a quick view of open ports on your network, click the Ports/Hosts tab to see which ports are wide open (Figure C).

Figure C

If you don’t want to depend on the GUI, with Nmap (which is installed when you install Zenmap), you can run the same scan(s) from the command line. For instance, you want to run the intense scan against a single host. Open a terminal window and issue this command.

sudo nmap -T4 -A -v 192.168.1.1/24

These are the switches for the above command.

  • T4 ─ set the timing to 4 (0-5, with 5 being the fastest)
  • A ─ enable OS detection
  • v ─ verbose output

At this point (whether you used Nmap via the command line or the Zenmap GUI), you should have a full list of ports that are open on your network. Now that you know which ports are open and on which machines, you have a far better chance of securing those ports and, in turn, your network.

The bottom line

Nmap/Zenmap is not the only network scanning option on the market, though you’ll be hard-pressed to find an easier, more powerful tool to help you discover which ports are open on your network.


By Chad Perrin, originally published April 15, 2008

You should turn off any services you don’t actually need so that they will not become avenues of attack for security threats. Different systems will have different services running by default, even between different service pack versions of MS Windows XP, and if you’re coming into a situation where you must assume responsibility for the security of computers that were already set up before you got there, there are certain to be different services running than on a default install of the system. What’s needed is a tool for listing active services and open ports. I’ll explain how such tools can be used on three types of systems: Linux distributions, FreeBSD, and MS Windows.

As mentioned in the article, “10 security tips for all general-purpose OSes,” you should turn off any services you don’t actually need so that they will not become avenues of attack for security threats. Ten specific services for Microsoft Windows were mentioned in my later article, “10 services to turn off in MS Windows XP.” While ten is a good number for a quick list in an article, it’s hardly comprehensive.

There’s essentially no way to provide a comprehensive list. Different systems will have different services running by default, even between different service pack versions of MS Windows XP, and if you’re coming into a situation where you must assume responsibility for the security of computers that were already set up before you got there, there are certain to be different services running than on a default install of the system. Worse, there are new services being invented from time to time, expanding the number of services that may possibly be running on a given computer.

What’s needed is a tool for listing active services and open ports. I’ll explain how such tools can be used on three types of systems, in alphabetical order — Linux distributions, FreeBSD, and MS Windows — plus how to use an additional tool for commercial UNIX systems where the other tools may not be available.

FreeBSD

On a FreeBSD Unix system, as with other BSD Unix systems, you have a number of utilities with a base system install that can be used for listing open files, running processes, and network connections. The netstat utility is maintained as a part of the FreeBSD base system by the FreeBSD core developers, and offers exactly the sort of functionality you need to list open ports on your system.

netstat

To list open network ports and the processes that own them on FreeBSD with netstat, you can use this command:

netstat -a | egrep 'Proto|LISTEN' 

The output for this on my laptop running FreeBSD is:

Proto Recv-Q Send-Q  Local Address      Foreign Address    (state) 

tcp4       0      0  localhost.ipp      *.*                LISTEN 

tcp6       0      0  localhost.ipp      *.*                LISTEN 

tcp4       0      0  *.2200             *.*                LISTEN 

tcp6       0      0  *.2200             *.*                LISTEN 

tcp4       0      0  *.x11              *.*                LISTEN 

tcp6       0      0  *.x11              *.*                LISTEN 

The localhost.ipp entry refers to the Internet Printing Protocol used by CUPS to talk to the network printer. The *.2200 entry refers to SSH, which I have set to a nonstandard port, so it’s not recognized by netstat’s port-to-service association capabilities. *.x11 refers to the X Window System protocol.

You can add the -n option to netstat to get port numbers instead of having the utility try to provide names for services:

netstat -an | egrep 'Proto|LISTEN' 

The output would then look somewhat different:

proto recv-q send-q  local address  foreign (state) 

tcp4       0         127.0.0.1.631  *.*     listen 

tcp6                       ::1.631  *.2200 *.6000 

This information can be used to determine what services are running, in cases where services are using standard ports. On a FreeBSD system, you can get a listing of standard port associations by searching through the contents of /etc/services

For instance, if you wanted to find out what was up with port 631, you might use this command:

grep -w 631 /etc/services 

The output:

ipp     631/tcp    #IPP (Internet Printing Protocol) 
ipp     631/udp    #IPP (Internet Printing Protocol) 

sockstat

In addition to netstat, the more limited command sockstat is effectively tailor-made for this kind of information gathering. To get a listing of listening ports and their associated processes, you can use this command:

 sockstat -4l 

The output may even be more useful than that of netstat above:

user command pid  fd proto  local address foreign 
root cupsd   170  4  tcp4   127.0.0.1:631 *:* 
                  6  udp4    *:631 
     sshd    1685            *:2200 
     xorg    1154 3          *:6000 
     syslogd 907  7          *:514 

Linux distributions

As with FreeBSD, the obvious choice of tool to use for listing open ports is netstat. Most Linux distributions use a different version of the utility, however maintained separately from the Linux distribution, as an independent software development project.

One consequence of that fact is that the command line options used to achieve the same results may be different with FreeBSD than with Debian, Ubuntu, or Fedora Core Linux systems. On a typical Linux system, this command will list open network ports and the processes that own them:

netstat -lnptu 

The output should look something like this:

Active internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address  State   PID/Program name
tcp        0      0 127.0.0.1:631   0.0.0.0:*        LISTEN  2458/cupsd
tcp        0      0 127.0.0.1:5432  0.0.0.0:*        LISTEN  2353/postgres
tcp6       0      0 :::22           :::*             LISTEN  2335/sshd
udp        0      0 0.0.0.0:631     0.0.0.0:*                2458/cupsd

As you can see from this output, the Debian GNU/Linux system on which I ran that command has only four open ports — two for CUPS, so that the computer can communicate with the network printer; one for PostgreSQL so that it can be contacted by applications in development; SSH, so that I can access it remotely, from my laptop.

Microsoft Windows XP

Microsoft Windows also offers a netstat command that can be executed from the command line to get a list of open ports. The standard MS Windows version of netstat is slightly more limited than its Unix-like system counterparts, but still suffices to get a listing of listening services:

netstat -a | find listening 

The output of this command should look something like this:

TCP    hostname:epmap           hostname:0               LISTENING 
TCP    hostname:microsoft-ds    hostname:0               LISTENING 
TCP    hostname:10110           hostname:0               LISTENING 
TCP    hostname:netbios-ssn     hostname:0               LISTENING 

Note: “hostname” is replaced by the system’s hostname.

Commercial UNIX systems

For most commercial UNIX systems, even if there is not a version of netstat or sockstat available, you should be able to install lsof — which is short for “list open files”. Most Linux distributions and BSD unix systems will provide lsof with a default install or through their respective software management systems. Some commercial UNIX systems do so as well, and for many others you can download it. The following command will limit the output of the utility to network ports:

lsof -i -n | egrep 'COMMAND|LISTEN' 

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays