Not finding a port with netstat? Nmap finds what netstat does not. Nmap can also point out your servers’ vulnerabilities.
On my server, there are a number of applications that work via a browser. Each with an associated port.
Usually, I’ll use netstat to find the port.
netstat -a | grep 9704
You can also find the unix process that is using the port by adding the flag, -al.
netstat -al | grep -i 9704
tcp 0 0 black.testrac.com:9704 *:* LISTEN oracle 162677
tcp 0 0 fe80::200:ff:fe00:0:9704 *:* LISTEN oracle 162676
tcp 0 0 ::ffff:192.168.122.1:9704 *:* LISTEN oracle 162675
tcp 0 0 localhost.localdomain:9704 *:* LISTEN oracle 162674
tcp 0 0 localhost6.localdomain:9704 *:* LISTEN oracle 162673
tcp 0 0 fe80::223:54ff:fe73:5f:9704 *:* LISTEN oracle 162672
tcp 0 0 black.testrac.com:49854 black.testrac.com:9704 ESTABLISHED
tcp 0 0 black.testrac.com:9704 black.testrac.com:49854 ESTABLISHED
However, netstat doesn’t find a number of processes or ports. Such as these important ports and applications:
1521 – Oracle listener
1158 – enterprise manager
7003 – Oracle Weblogic/OBIEE admin
8000 – Oracle Applications
I always found this really aggravating. I knew the port was in use. Why didn’t netstat find it? Then recently, I discovered that nmap will find the ports that netstat does not.
nmap -v black.testrac.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-01-18 15:51 CST
Initiating Connect() Scan against black.testrac.com (192.168.2.201) [1680 ports] at 15:51
Discovered open port 22/tcp on 192.168.2.201
Discovered open port 6000/tcp on 192.168.2.201
Discovered open port 929/tcp on 192.168.2.201
Discovered open port 5520/tcp on 192.168.2.201
Discovered open port 8000/tcp on 192.168.2.201
Discovered open port 7003/tcp on 192.168.2.201
Discovered open port 12345/tcp on 192.168.2.201
Discovered open port 1521/tcp on 192.168.2.201
Discovered open port 1158/tcp on 192.168.2.201
Discovered open port 111/tcp on 192.168.2.201
The Connect() Scan took 0.04s to scan 1680 total ports.
Host black.testrac.com (192.168.2.201) appears to be up … good.
Interesting ports on black.testrac.com (192.168.2.201):
Not shown: 1670 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
929/tcp open unknown
1158/tcp open lsnr
1521/tcp open oracle
5520/tcp open sdlog
6000/tcp open X11
7003/tcp open afs3-vlserver
8000/tcp open http-alt
12345/tcp open NetBus
There the ports are! Very cool!
So, if you can’t figure out what port your application was supposed to use, if you know that the processes are running, you can probe the ports with nmap. If you change some ports, you can check to see if they show up with nmap.
Lots Of Options:
Nmap comes with many options. nmap –help returns 88 lines! You can do many kinds of searches. And get lots of detailed, and different information back.
There is also a GUI version for Linux: nmapfe. For nmap front end.
There is a GUI version for Windows too. This one is actually called Zenmap. It is a GUI front end to an nmap backend.
The interfaces, while similar, are rather different. Even the predetermined scans are different.
The nice thing about these GUIs is that they have a number of predetermined scans. Just pick the type, and click the button.
Protect Your Machines!
The scary thing is, you can also scan all the ports of a remote computer. I scanned the ports of my windows machine. While the machine was being probed, I noticed in Task Manager that the network activity of the Windows machine went up to 200 to 300K per second.
You can even scan machines on the web. Here, I scan yahoo.com.
nmap -v yahoo.com
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-01-21 01:47 CST
Warning: Hostname yahoo.com resolves to 4 IPs. Using 184.108.40.206.
Machine 220.127.116.11 MIGHT actually be listening on probe port 80
DNS resolution of 1 IPs took 0.13s.
Initiating Connect() Scan against ir1.fp.vip.bf1.yahoo.com (18.104.22.168) [1680 ports] at 01:47
Discovered open port 80/tcp on 22.214.171.124
Discovered open port 443/tcp on 126.96.36.199
The Connect() Scan took 48.01s to scan 1680 total ports.
Host ir1.fp.vip.bf1.yahoo.com (188.8.131.52) appears to be up … good.
Interesting ports on ir1.fp.vip.bf1.yahoo.com (184.108.40.206):
Not shown: 1678 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
I’ve read that much of the hacking that goes on in the world, uses nmap. So you can also use nmap to check your vulnerabilities, and either be aware of them, or close them.
It’s scary what you can do with nmap. Or what the nasty people can do to you via the web! Use your protection!