One of the most important concepts in computer security is “knowing thy system”. This essentially means that in order to be able to protect something you need to have some idea of what it’s doing and/or how it works.
Your computer’s connections to the outside world is among the most important information you can have about your system. In addition to what connections are currently established, you also want to know what ports your computer is “listening” on, or in other words, what ways other systems are able to interact with your computer.
Below I’ll cover how to see who your Windows or Linux computer is currently talking to, and the ways your computer is willing to talk through open, listening ports.
There is often some confusion about what network ports are, and what it means for them to be “open”. Think of network ports as spring-loaded windows on a house. So if someone doesn’t actively hold the window open, it’ll shut automatically and remain closed until it’s opened again.
The important thing to remember is that when you see a port open on your system, it’s because something opened it. Remember, if there wasn’t a midget in the window it would just close by itself. The issue then becomes finding out what program opened the port, and whether or not it’s legitimate.
Windows has a built-in tool called netstat that can show a decent amount of information. If you just have a quick question about a certain port you can use it right from the command line and avoid using a third party application:
netstat -an | find "LISTENING"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1049 0.0.0.0:0 LISTENING TCP 0.0.0.0:9000 0.0.0.0:0 LISTENING TCP 0.0.0.0:33333 0.0.0.0:0 LISTENING
netstat -an | find "ESTABLISHED"
TCP 22.214.171.124:4095 126.96.36.199:80 ESTABLISHED TCP 188.8.131.52:8324 184.108.40.206:25 ESTABLISHED
For those that want more information about their network connections and/or are graphically inclined, there’s a free tool called Tcpview that’s a must for any serious Windows user.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
Tcpview allows you to view, in real time, the connections that are open on your system. Not only does it update constantly as connections spawn or die off, but it also shows you what program is responsible for opening a given port on your system. [For those bent on command line kung-fu, you can get similar functionality from netstat -anb]
Being a Linux/OS X guy myself I would deserve a good pummeling if I didn’t show how to get similar information from a *nix system. The best way to do this is with the lsof command:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME dhcpcd 6061 root 4u IPv4 4510 UDP *:bootpc sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN) sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh-> 192.168.1.5:49901 (ESTABLISHED)
lsof -iTCP // only TCPlsof -iUDP // only UDPlsof -i :22 // involving port 22lsof -i :@attacker.com // connections with attacker.comlsof -i :220.127.116.11 // connections to 18.104.22.168lsof -i :mail.com:25 // connections to mail.com on the SMTP portlsof -i | grep LISTEN // see what’s listeninglsof -i | grep ESTABLISHED // see what’s established
Knowing who your system is talking to (and who it’s willing to talk to) is crucial to your overall computer security. Using the short guide above you can now gather this information in both Windows and *nix environments.:
—1 Not true in all cases.