Open Ports / Active Connections

Active connections and open ports are a critical part of an investigation. However, one of the challenges in this process is that historical information about port activity is not recorded on the host, making it difficult to trace back and identify patterns of an intrusion. Despite this limitation, when a cyber incident occurs, investigating open ports helps to determine the vector of the attack, identify what services or data might have been compromised, and evaluate the extent of the intrusion.

Listening Ports

There are a few ways to list process along with open port in Linux. Here are the most common methods:

netstat command

The netstat command can be used to display a variety of network information, including open ports. To list process along with open port using netstat, use the following:

netstat -tulpn

[tlasso@rhel-richmondfc 37822]$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:9080            0.0.0.0:*               LISTEN      71520/nc            
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      -                   
tcp6       0      0 :::9080                 :::*                    LISTEN      71520/nc            
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 0.0.0.0:43449           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:49428           0.0.0.0:*                           40401/firefox       
udp        0      0 127.0.0.1:323           0.0.0.0:*                           -                   
udp6       0      0 :::5353                 :::*                                -                   
udp6       0      0 :::49008                :::*                                -                   
udp6       0      0 ::1:323                 :::*                                -

ss command

The ss command¹ is a newer alternative to netstat and can be used to dump socket statistics. To list process along with open port using ss, use the following :

ss -tulpn

[tlasso@rhel-richmondfc 37822]$ ss -tulpn
Netid   State    Recv-Q   Send-Q     Local Address:Port        Peer Address:Port   Process                                
udp     UNCONN   0        0                0.0.0.0:43449            0.0.0.0:*                                             
udp     UNCONN   0        0                0.0.0.0:5353             0.0.0.0:*                                             
udp     UNCONN   0        0                0.0.0.0:49428            0.0.0.0:*       users:(("firefox",pid=40401,fd=53))   
udp     UNCONN   0        0              127.0.0.1:323              0.0.0.0:*                                             
udp     UNCONN   0        0                   [::]:5353                [::]:*                                             
udp     UNCONN   0        0                   [::]:49008               [::]:*                                             
udp     UNCONN   0        0                  [::1]:323                 [::]:*                                             
tcp     LISTEN   0        128            127.0.0.1:631              0.0.0.0:*                                             
tcp     LISTEN   0        10               0.0.0.0:9080             0.0.0.0:*       users:(("nc",pid=71520,fd=4))         
tcp     LISTEN   0        128              0.0.0.0:22               0.0.0.0:*                                             
tcp     LISTEN   0        128                [::1]:631                 [::]:*                                             
tcp     LISTEN   0        10                  [::]:9080                [::]:*       users:(("nc",pid=71520,fd=3))         
tcp     LISTEN   0        128                 [::]:22                  [::]:*

Active Connections

lsof - "List Open Files"² is an excellent tool when working with a live system. It provides a detailed view of the system and displays information about files that are opened by processes, including network connections. ³

lsof -i -n -P

[tlasso@rhel-richmondfc 37822]$ lsof -i -n -P
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
firefox 40401 tlasso   55u  IPv4 755700      0t0  TCP 172.23.49.52:35546->34.117.65.55:443 (ESTABLISHED)
firefox 40401 tlasso   60u  IPv4 779282      0t0  TCP 172.23.49.52:45388->142.250.205.228:443 (ESTABLISHED)
firefox 40401 tlasso   61u  IPv4 775820      0t0  TCP 172.23.49.52:34942->34.149.100.209:443 (ESTABLISHED)
firefox 40401 tlasso   62u  IPv4 775821      0t0  TCP 172.23.49.52:58550->34.120.115.102:443 (ESTABLISHED)
firefox 40401 tlasso   63u  IPv4 778293      0t0  TCP 172.23.49.52:53024->34.120.237.76:443 (ESTABLISHED)
firefox 40401 tlasso   77u  IPv4 777822      0t0  TCP 172.23.49.52:48046->142.250.77.131:80 (ESTABLISHED)
firefox 40401 tlasso   78u  IPv4 780293      0t0  TCP 172.23.49.52:50414->49.44.116.245:80 (ESTABLISHED)
firefox 40401 tlasso   80u  IPv4 777823      0t0  TCP 172.23.49.52:48054->142.250.77.131:80 (ESTABLISHED)
firefox 40401 tlasso   81u  IPv4 771854      0t0  TCP 172.23.49.52:45404->142.250.205.228:443 (ESTABLISHED)
firefox 40401 tlasso  101u  IPv4 777824      0t0  TCP 172.23.49.52:48068->142.250.77.131:80 (ESTABLISHED)
firefox 40401 tlasso  111u  IPv4 772047      0t0  TCP 172.23.49.52:48566->142.250.183.238:443 (ESTABLISHED)
firefox 40401 tlasso  119u  IPv4 772053      0t0  TCP 172.23.49.52:52668->172.217.163.162:443 (ESTABLISHED)
firefox 40401 tlasso  123u  IPv4 775005      0t0  TCP 172.23.49.52:55100->142.250.195.131:443 (ESTABLISHED)
firefox 40401 tlasso  132u  IPv4 772049      0t0  TCP 172.23.49.52:34382->172.217.167.130:443 (ESTABLISHED)
firefox 40401 tlasso  149u  IPv4 775871      0t0  TCP 172.23.49.52:40670->142.250.183.226:443 (ESTABLISHED)
nc      71520 tlasso    3u  IPv6 752595      0t0  TCP *:9080 (LISTEN)
nc      71520 tlasso    4u  IPv4 752596      0t0  TCP *:9080 (LISTEN)

https://www.man7.org/linux/man-pages/man8/ss.8.html

https://www.redhat.com/sysadmin/analyze-processes-lsof

https://linux.die.net/man/8/lsof

Digital forensics & Intrusion Response Playbook - *nix OS

Open Ports / Active Connections

Listening Ports

netstat command

ss command

Active Connections