Skip to content

Instantly share code, notes, and snippets.

@dougalcorn

dougalcorn/open_ports.md

Last active March 14, 2016 13:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save dougalcorn/7815725 to your computer and use it in GitHub Desktop.
Save dougalcorn/7815725 to your computer and use it in GitHub Desktop.
Download ZIP
Some questions about ports "open to the world"
Raw
open_ports.md

@p9k put out a question on Twitter about ports open to the world: https://twitter.com/p9k/status/408721475345330177

$ netstat -na|grep '^tcp4\W.*\*\.\d.*LISTEN'|wc -l
       5

His command was specifically only looking for processes listening on an IPv4 TCP port. I've modified the filter to pull both IPv4 and IPv6 TCP ports.

$ netstat -na | head -2; netstat -na|egrep '^tcp[46]+\W.*\*\.\d.*LISTEN' 
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)    
tcp4       0      0  *.20559                *.*                    LISTEN     
tcp4       0      0  *.17500                *.*                    LISTEN     
tcp4       0      0  *.88                   *.*                    LISTEN     
tcp6       0      0  *.88                   *.*                    LISTEN     
tcp46      0      0  *.49152                *.*                    LISTEN     
tcp4       0      0  *.5900                 *.*                    LISTEN     
tcp6       0      0  *.5900                 *.*                    LISTEN     
tcp4       0      0  *.548                  *.*                    LISTEN     
tcp6       0      0  *.548                  *.*                    LISTEN

As you can see, I have several processes listening to the same port on both IPv4 and IPv6. I'm not sure why, but one process is listed as "tcp46". That one didn't show up in the count of 5 above.

Possibly a simpler command is:

$ netstat -p tcp -na | grep '*.\d'
tcp4       0      0  *.20559                *.*                    LISTEN     
tcp4       0      0  *.17500                *.*                    LISTEN     
tcp4       0      0  *.88                   *.*                    LISTEN     
tcp6       0      0  *.88                   *.*                    LISTEN     
tcp46      0      0  *.49152                *.*                    LISTEN     
tcp4       0      0  *.5900                 *.*                    LISTEN     
tcp6       0      0  *.5900                 *.*                    LISTEN     
tcp4       0      0  *.548                  *.*                    LISTEN     
tcp6       0      0  *.548                  *.*                    LISTEN

So what are those processes? The fourth column shows the specific port number that's being listened on:

$ netstat -p tcp -na | grep '*.\d' | awk '{print $4}' | cut -f2 -d. | uniq
20559
17500
88
49152
5900
548

We can lookup those ports in /etc/services to see what's registered on those ports:

$ for port in `netstat -p tcp -na | grep '*.\d' | awk '{print $4}' | cut -f2 -d. | uniq`; do grep "\W$port/tcp" /etc/services; done
kerberos         88/tcp     # Kerberos
rfb             5900/tcp    vnc-server # VNC Server
afpovertcp      548/tcp     # AFP over TCP

That finds a couple of them, but not really all of them. We can "list open files" to find them though:

$ for port in `netstat -p tcp -na|grep '*.\d' | awk '{print $4}' | cut -f2 -d. `; do sudo lsof -P -i tcp | grep -i tcp | grep ":$port "; done
Password:
node      66255 dalcorn    7u  IPv4 0x73b82608d27925d      0t0  TCP *:20559 (LISTEN)
Dropbox     740 dalcorn   27u  IPv4 0x73b8260875aaa45      0t0  TCP *:17500 (LISTEN)
kdc          89    root    6u  IPv6 0x73b82607eb4b93d      0t0  TCP *:88 (LISTEN)
kdc          89    root    8u  IPv4 0x73b82608046b25d      0t0  TCP *:88 (LISTEN)
kdc          89    root    6u  IPv6 0x73b82607eb4b93d      0t0  TCP *:88 (LISTEN)
kdc          89    root    8u  IPv4 0x73b82608046b25d      0t0  TCP *:88 (LISTEN)
ODSAgent     79    root    3u  IPv6 0x73b82607eb4bd7d      0t0  TCP *:49152 (LISTEN)
launchd       1    root   24u  IPv6 0x73b82607eb4c5fd      0t0  TCP *:5900 (LISTEN)
launchd       1    root   25u  IPv4 0x73b82607eb4d25d      0t0  TCP *:5900 (LISTEN)
launchd       1    root   24u  IPv6 0x73b82607eb4c5fd      0t0  TCP *:5900 (LISTEN)
launchd       1    root   25u  IPv4 0x73b82607eb4d25d      0t0  TCP *:5900 (LISTEN)
launchd       1    root    9u  IPv6 0x73b82607eb4ca3d      0t0  TCP *:548 (LISTEN)
launchd       1    root   10u  IPv4 0x73b82607eb4da45      0t0  TCP *:548 (LISTEN)
launchd       1    root    9u  IPv6 0x73b82607eb4ca3d      0t0  TCP *:548 (LISTEN)
launchd       1    root   10u  IPv4 0x73b82607eb4da45      0t0  TCP *:548 (LISTEN)

So here's the list of processes that are listening "open to the world": kerberos, afpovertcp, vnc, node, Dropbox and ODSAgent. I turned off Screen and File sharing in my "Sharing" System Preference panel and that turned off vnc and afpovertcp as you might expect. I'm not exactly sure why Apple has kerberos and ODSAgent running.

I didn't remember why I was running node, but this reminded me:

$  ps -ax | grep 6625[5]
66255 ??         1:16.08 /Users/dalcorn/Library/Application Support/Pow/Versions/0.4.0/bin/node /Users/dalcorn/Library/Application Support/Pow/Versions/0.4.0/bin/pow
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment