Offene Ports Und Anwendungen Finden Mit Netstat

Offene Ports und Anwendungen finden mit netstatGrundlagenFr die Kommunikation in IP-Netzen spielen die Ports eine w ichtige Rolle. ber das Protokoll (UDP, TCP) und diePortnummer w ird auf dem Layer 4 ein Dienst identifiziert. Eine Anwendung die einen Service im Netzwerk anbietet, ffnetdazu einen Port. Dieser Port geht dabei zunchst in den Status "Listen" und wartet auf Verbindungsversuche. Eine Listeder offiziell vergebenen Portnummer findet man bei der IANA.Ein offener Port im Status Listen ist ein potientielles Einfallstor fr Script Kiddies und Hacker. Trojaner oder besserTrojanische Pferde installieren gerne Backdoors und ffnen dabei einen entsprechenden Port. Daher ist es sehr zuempfehlen, sich von Zeit zu Zeit die offenen Ports seiner Systeme anzusehen. Bei der Suche nach unbekanntenPortnummer leistet Google gute Dienste.

Offene Ports unter WindowsUnter W indows liefert das Kommando "netstat" die gewnschten Informationen.Der Befehl "netstat -an" zeigt alle Netzwerkverbindungen auf einer Maschine an. Serverdienste die sich im Status"Listen" bzw. "Listening" befinden, werden von deutschen Windowsversionen als "ABHREN" angezeigt.

C:\>netstat -an

Aktive Verbindungen

Proto Lokale Adresse Remoteadresse Status TCP 192.168.1.7:139 0.0.0.0:0 ABHREN TCP 192.168.1.7:1031 0.0.0.0:0 ABHREN TCP 192.168.1.7:1031 192.168.11.25:139 HERGESTELLT TCP 192.168.1.7:1071 0.0.0.0:0 ABHREN TCP 192.168.1.7:1071 192.168.11.77:139 HERGESTELLT TCP 192.168.1.7:1096 0.0.0.0:0 ABHREN TCP 192.168.1.7:1103 10.0.2.1:1433 HERGESTELLT TCP 192.168.1.7:1106 10.4.0.1:3311 HERGESTELLT TCP 192.168.1.7:1230 10.4.0.3:1352 HERGESTELLT TCP 192.168.1.7:1258 10:4.0.3:1352 HERGESTELLT TCP 192.168.1.7:1385 0.0.0.0:0 ABHREN TCP 192.168.1.7:1420 10.5.0.1:23 HERGESTELLT UDP 192.168.1.7:137 *:* UDP 192.168.1.7:138 *:* UDP 192.168.1.7:500 *:*

Ab Windows 2000 kennt netstat zustzlich den Parameter "-o". Dieser bewirkt, dass zu jedem Port die Prozess-ID PID deszugehrigen Prozesses angezeigt w ird.

C:\>netstat -ano

Aktive Verbindungen

Proto Lokale Adresse Remoteadresse Status PID TCP 192.168.1.100:139 0.0.0.0:0 ABHREN 4 TCP 192.168.1.100:1031 67.152.71.172:80 HERGESTELLT 1584 TCP 192.168.1.100:1034 67.104.144.70:3131 HERGESTELLT 1600 TCP 192.168.1.100:1035 68.97.40.116:3131 HERGESTELLT 1600 TCP 192.168.1.100:1036 64.49.76.16:80 SCHLIESSEN_WARTEN 2040 TCP 192.168.1.100:1048 216.234.59.241:80 HERGESTELLT 1364 TCP 192.168.1.100:10224 0.0.0.0:0 ABHREN 2032 UDP 192.168.1.100:121 *:* 636 UDP 192.168.1.100:137 *:* 4 UDP 192.168.1.100:138 *:* 4 UDP 192.168.1.100:9150 *:* 2032

Mit Hilfe des Taskmanagers ist die passende Anwendung zur PID schnell gefunden. Unter Umstnden muss die Anzeigeder PID im Reiter Prozesse erst ber das Men "Ansicht/Spalten auswhlen" aktiviert werden. Prinzipiell sollten nur Portsoffen sein die man w irklich bentigt.

Offene Ports unter LinuxUnter Linux sind die Parameter fr das Kommando netstat etwas anders. Fr eine Kontrolle der offenen Ports ruft man"netstat -nlp" auf.

/home/work $ netstat -npl Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 72.139.238.24:993 0.0.0.0:* LISTEN 1622/couriertcpd tcp 0 0 72.139.238.24:143 0.0.0.0:* LISTEN 1609/couriertcpd tcp 0 0 72.139.238.24:783 0.0.0.0:* LISTEN 1576/spamd.pid tcp 0 0 72.139.238.24:80 0.0.0.0:* LISTEN 25671/apache tcp 0 0 72.139.238.24:21 0.0.0.0:* LISTEN 19417/proftpdtcp 0 0 72.139.238.24:22 0.0.0.0:* LISTEN 1695/sshd tcp 0 0 72.139.238.24:25 0.0.0.0:* LISTEN 26889/exim4 tcp 0 0 72.139.238.24:443 0.0.0.0:* LISTEN 2082/apache-ssl

Das System zeigt mit diesen Parameter nur Ports im Status "Listen" an. Zustzlich w ird in der letzten Spalte die PID undder Name der zustndigen Applikation angezeigt. Alternativ kann unter Linux auch das Kommando "lsof" benutzt werden.Mit dem Aufruf "lsof -i | grep -e LISTEN" w ird ebenfalls eine Liste der Ports im Status "Listen" angezeigt.

Einsatz von nmap (Windows und Linux)Zur Kontrolle der offenen Ports eines Host ber das Netzwerk bentigt man einen Portscanner. Einer der populrstenVertreter dieser Spezies ist nmap von Fyodor. Gerade fr Systeme die direkt mit dem Internet verbunden sind w ie DSL-Router und Rootserver ist ein Portscan sehr interessant.Der Portscanner nmap kennt eine Unmenge von Optionen. Fr einen ersten Scan nach offenen TCP-Ports w ird lediglich derParameter "-sT" und die IP-Adresse des Zielsystems bentigt. Damit scannt nmap alle Well Know TCP-Ports (1-1024) undalle Ports aus der Datei etc/services.

[work] ~ $ nmap -sT 192.168.1.1

Offene Ports und Anwendungen finden mit netstat, lsof und nmap :: network lab 13.07.2015

http://www.nwlab.net/tutorials/netstat/offene-ports-netstat.html 1 / 6

Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2004-10-16 23:17 CESTInteresting ports on Router (192.168.1.1):(The 1610 ports scanned but not shown below are in state: closed)Port State Service80/tcp open http

Nmap run completed -- 1 IP address (1 host up) scanned in 6.533 seconds

Der hier untersuchte IP-Host bietet einen Dienst an: HTTP auf TCP-Port 80. Auf der Maschine luft also hchstwarscheinlichein Webserver. Um alle TCP-Ports von 1 bis 65535 zu untersuchen ruft man nmap mit den Optionen "-sT -p 1-65535" auf.Mit der Option "-sU" sucht nmap nach offenen UDP-Ports. UDP-Scanning ist allerdings oftmals sehr langsam. Ursachehierfr ist eine Begrenzung der Anzahl der ICMP-Meldungen die ein Host pro Zeiteinheit versendet. Viele Systemebegrenzen die ICMP-Meldungen nach RFC 1812. nmap erkennt dieses Verhalten und arbeitet entsprechen langsamer umkeine Meldungen zu verlieren.Eine Mglichkeit fr Backdoors sich vor Portscanner zu verbergen ist das Portknocking. Dabei w ird ein Port erst in denStatus "Listen" versetzt, wenn das System ein bestimmtes Datenpacket empfngt.Ein DSL-Router bietet einen guten Schutz gegen Angriffe aus dem Internet. Der Router verhindert Verbindungsversucheaus dem Internet auf Serverdienste im internen Netz. Durch Konfiguration von Portforwarding am Router w ird dieserSchutz allerdings ausgehebelt. Weitere Informationen zu dieser Thematik finden sie im Tutorial Eigenen Server am DSL-Anschluss einrichten.Hilfe und Erfahrungsaustausch zu Netzwerkfragen finden Sie im Netzwerkforum.

Offene Ports und Anwendungen finden mit netstat, lsof und nmap :: network lab 13.07.2015

http://www.nwlab.net/tutorials/netstat/offene-ports-netstat.html 2 / 6

NETSTATSection: Linux Programmer's Manual (8)Updated: 24 November 2001

NAMEnetstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicastmemberships

SYNOPSISnetstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c] netstat {--interfaces|-i} [--all|-a] [--extend|-e[--extend|-e]] [--verbose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c] netstat {--groups|-g} [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c] netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c] netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] netstat {--version|-V} netstat {--help|-h} address_family_options:[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]] [--unix|-x] [--inet|--ip] [--ax25] [--ipx] [--netrom] [--ddp]

DESCRIPTIONNetstat prints information about the Linux networking subsystem. The type of information printed is controlled by the firstargument, as follows: (none)By default, netstat displays a list of open sockets. If you don't specify any address families, then the active sockets of allconfigured address families w ill be printed. --route , -rDisplay the kernel routing tables. --groups , -gDisplay multicast group membership information for IPv4 and IPv6. --interface, -iDisplay a table of all network interfaces. --masquerade , -MDisplay a list of masqueraded connections. --statistics , -sDisplay summary statistics for each protocol.

OPTIONS --verbose , -vTell the user what is going on by being verbose. Especially print some useful information about unconfigured addressfamilies. --numeric , -nShow numerical addresses instead of trying to determine symbolic host, port or user names. --numeric-hostsshows numerical host addresses but does not affect the resolution of port or user names. --numeric-portsshows numerical port numbers but does not affect the resolution of host or user names. --numeric-usersshows numerical user IDs but does not affect the resolution of host or port names.

--protocol=family , -ASpecifies the address families (perhaps better described as low level protocols) for which connections are to beshown. family is a comma (',') separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. Thishas the same effect as using the --inet, --unix (-x), --ipx, --ax25, --netrom, and --ddp options. The address family inetincludes raw, udp and tcp protocol sockets. -c, --continuousThis w ill cause netstat to print the selected information every second continuously. -e, --extendDisplay additional information. Use this option tw ice for maximum detail. -o, --timersInclude information related to networking timers. -p, --programShow the PID and name of the program to which each socket belongs. -l, --listeningShow only listening sockets. (These are omitted by default.) -a, --allShow both listening and non-listening sockets. W ith the --interfaces option, show interfaces that are not up -FPrint routing information from the FIB. (This is the default.) -CPrint routing information from the route cache. UP.

OUTPUT

Manpage netstat :: network lab 13.07.2015

http://www.nwlab.net/tutorials/netstat/man-netstat.html 3 / 6

Active Internet connections (TCP, UDP, raw) ProtoThe protocol (tcp, udp, raw) used by the socket. Recv-QThe count of bytes not copied by the user program connected to this socket. Send-QThe count of bytes not acknowledged by the remote host. Local AddressAddress and port number of the local end of the socket. Unless the --numeric (-n) option is specified, the socket addressis resolved to its canonical host name (FQDN), and the port number is translated into the corresponding service name. Foreign AddressAddress and port number of the remote end of the socket. Analogous to "Local Address." StateThe state of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be leftblank. Normally this can be one of several values:

ESTABLISHEDThe socket has an established connection.

SYN_SENTThe socket is actively attempting to establish a connection.

SYN_RECVA connection request has been received from the network.

FIN_WAIT1The socket is closed, and the connection is shutting down.

FIN_WAIT2Connection is closed, and the socket is waiting for a shutdown from the remote end.

TIME_WAITThe socket is waiting after close to handle packets still in the network.

CLOSEThe socket is not being used.

CLOSE_WAITThe remote end has shut down, waiting for the socket to close.

LAST_ACKThe remote end has shut down, and the socket is closed. Waiting for acknowledgement.

LISTENThe socket is listening for incoming connections. Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.

CLOSINGBoth sockets are shut down but we still don't have all our data sent.

UNKNOWNThe state of the socket is unknown.

UserThe username or the user id (UID) of the owner of the socket. PID/Program nameSlash-separated pair of the process id (PID) and process name of the process that owns the socket. --program causesthis column to be included. You w ill also need superuser privileges to see this information on sockets you don't own. Thisidentification information is not yet available for IPX sockets. Timer(this needs to be written) Active UNIX domain Sockets ProtoThe protocol (usually unix) used by the socket. RefCntThe reference count (i.e. attached processes via this socket). FlagsThe flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N). SO_ACCECPTON is usedon unconnected sockets if their corresponding processes are waiting for a connect request. The other flags are not ofnormal interest. TypeThere are several types of socket access:

SOCK_DGRAMThe socket is used in Datagram (connectionless) mode.

SOCK_STREAMThis is a stream (connection) socket.

SOCK_RAWThe socket is used as a raw socket.

SOCK_RDMThis one serves reliably-delivered messages.

SOCK_SEQPACKETThis is a sequential packet socket.

SOCK_PACKETRaw interface access socket.

UNKNOWNWho ever knows what the future w ill bring us - just fill in here :-)

StateThis field w ill contain one of the follow ing Keywords:

FREEThe socket is not allocated



LISTENINGThe socket is listening for a connection request. Such sockets are only included in the output if you specify the --listening (-l) or --all (-a) option.

CONNECTINGThe socket is about to establish a connection.

CONNECTEDThe socket is connected.

DISCONNECTINGThe socket is disconnecting.

(empty)The socket is not connected to another one.

UNKNOWNThis state should never happen.

PID/Program nameProcess ID (PID) and process name of the process that has the socket open. More info available in Active Internetconnections section written above. PathThis is the path name as which the corresponding processes attached to the socket. Active IPX sockets(this needs to be done by somebody who knows it) Active NET/ROM sockets(this needs to be done by somebody who knows it) Active AX.25 sockets(this needs to be done by somebody who knows it)

NOTESStarting w ith Linux release 2.2 netstat -i does not show interface statistics for alias interfaces. To get per alias interfacecounters you need to setup explicit rules using the ipchains(8) command.

FILES/etc/services -- The services translation file/proc -- Mount point for the proc filesystem, which gives access to kernel status information via the follow ing files./proc/net/dev -- device information/proc/net/raw -- raw socket information/proc/net/tcp -- TCP socket information/proc/net/udp -- UDP socket information/proc/net/igmp -- IGMP multicast information/proc/net/unix -- Unix domain socket information/proc/net/ipx -- IPX socket information/proc/net/ax25 -- AX25 socket information/proc/net/appletalk -- DDP (appletalk) socket information/proc/net/nr -- NET/ROM socket information/proc/net/route -- IP routing information/proc/net/ax25_route -- AX25 routing information/proc/net/ipx_route -- IPX routing information/proc/net/nr_nodes -- NET/ROM nodelist/proc/net/nr_neigh -- NET/ROM neighbours/proc/net/ip_masquerade -- masqueraded connections/proc/net/snmp -- statistics

SEE ALSOroute(8), ifconfig(8), ipchains(8), iptables(8), proc(5)

BUGSOccasionally strange information may appear if a socket changes as it is viewed. This is unlikely to occur.

AUTHORSThe netstat user interface was written by Fred Baumgarten the man page basicallyby Matt Welsh . It was updated by Alan Cox but could do w ith a bit morework. It was updated again by Tuan Hoang . The man page and the command included in the net-tools package is totally rewritten by Bernd Eckenfels .

IndexNAMESYNOPSISDESCRIPTION

(none)--route , -r--groups , -g--interface, -i--masquerade , -M--statistics , -s

OPTIONS

--verbose , -v



--verbose , -v--numeric , -n--numeric-hosts--numeric-ports--numeric-users--protocol=family , -A-c, --continuous-e, --extend-o, --timers-p, --program-l, --listening-a, --all-F-C

OUTPUT

Active Internet connections (TCP, UDP, raw)ProtoRecv-QSend-QLocal AddressForeign AddressStateUserPID/Program nameTimerActive UNIX domain SocketsProtoRefCntFlagsTypeStatePID/Program namePathActive IPX socketsActive NET/ROM socketsActive AX.25 sockets

NOTESFILESSEE ALSOBUGSAUTHORS

This document was created by man2html, using the manual pages.



NETSTATNAMESYNOPSISDESCRIPTION(none)--route , -r--groups , -g--interface, -i--masquerade , -M--statistics , -s

OPTIONS--verbose , -v--numeric , -n--numeric-hosts--numeric-ports--numeric-users--protocol=family , -A-c, --continuous-e, --extend-o, --timers-p, --program-l, --listening-a, --all-F-C

OUTPUTActive Internet connections (TCP, UDP, raw)ProtoRecv-QSend-QLocal AddressForeign AddressStateUserPID/Program nameTimerActive UNIX domain SocketsProtoRefCntFlagsTypeStatePID/Program namePathActive IPX socketsActive NET/ROM socketsActive AX.25 sockets

NOTESFILESSEE ALSOBUGSAUTHORSIndex

Documents

Offene Ports Und Anwendungen Finden Mit Netstat