Unknown TCP Services: Port Investigation

TL;DR

You’ve found open TCP ports on your system that aren’t associated with known services? This guide shows you how to identify them using tools like netstat, ss, process inspection (ps, top), and reverse DNS lookups. We’ll also cover basic port scanning techniques for further investigation.

Identifying the Process

1. Use netstat: This classic tool shows network connections.

netstat -tulnp | grep 

The output will show the process ID (PID) associated with the port.

2. Use ss: A more modern alternative to netstat.

ss -tulnp | grep 

Similar to netstat, this will display the PID.

3. Inspect the process with ps: Once you have the PID, find out what program is running.

ps -p  -o comm=

This shows just the command name of the process.

4. Use top or htop: For a real-time view of processes and resource usage, including the PID.
1. Press ‘k’ to kill a process (use with caution!).
2. Sort by CPU or memory usage to find potentially rogue processes.

Reverse DNS Lookup

1. Find the IP address: If netstat or ss shows a listening process on all interfaces (0.0.0.0), you need to determine which IP addresses are associated with that port.
2. Perform a reverse DNS lookup: Use host or an online tool. This can sometimes reveal the service name if it’s configured correctly.

   host 

   This may show a hostname associated with the IP address, giving you clues about the service.

Further Investigation: Port Scanning

1. Nmap (again): Use Nmap for more detailed port scanning. Try different scan types to get a better understanding of the service.

   nmap -sV 

   The -sV option attempts version detection, which can identify the specific software running on the port.

2. Connect to the Port: Try connecting to the port using telnet or nc (netcat).

   telnet  

   If you get a response, it confirms that something is listening on the port. The response might give you clues about the service.

3. Wireshark: Capture network traffic to analyze the communication protocol being used on the port.
   1. Filter by the target IP address and port number.
   2. Examine the packet contents for clues about the service.

Security Considerations

• Unknown services are a risk: If you can’t identify a service, consider it potentially malicious until proven otherwise.
• Firewall rules: Block access to unknown ports from external networks.
• cyber security best practice: Regularly scan your system for open ports and investigate any unexpected findings.