We used
X11 forwarding
to locally run our Ubuntu Server’s Firefox installation. In short, these three commands were enough (replacing
x.x.x.x
with the testing server’s IP):
$ ssh -Y -C [email protected]
[...]
[email protected]:~# export XAUTHORITY=$HOME/.Xauthority
[email protected]:~# firefox -no-remote https://www.grc.com/
[...]
About
ssh
,
-Y
enables trusted X11 forwarding, and
-C
boosts performance by compression. The following
export XAUTHORITY=$HOME/
.Xauthority
prevents a common authentication error in the X11 connection. Finally, although starting Firefox with
-no-remote
isn’t strictly necessary, it’s a good option in such cases.
3. Port Authority Database & Internet Port Vulnerability Profiling
We can consult the
GRC’s Port Authority Database
to get information about any port. Let’s suppose we are interested in
port 111
:
Let’s
probe that port
:
To perform this GRC’s test, we used X11 forwarding as before, with the same testing machine.
The main limitation of online services is that they can send packets only to public IPs or, as in the case of GRC, only to our own public IP.
Instead, with command-line tools, we can probe even the private IPs of our LAN
. So, let’s look at some Linux tools to ping a port, i.e., to probe it.
In the upcoming examples, we’ll use the following self-explanatory variables
:
$ IP=78.141.212.157 # our testing machine's IP
$ PORT_OPEN=22
$ PORT_CLOSED=111
$ PORT_STEALTH=137
In other words, we’ve configured our test machine so that TCP port 22 is open, 111 closed, and 137 stealth.
Pinging a port involves the transmission of
TCP segments
or
UDP datagrams
to that port. The usual strategy is to try to initiate a TCP connection. That’s why
we’ll only test TCP ports, and this way is the default of most tools
. Anyway, we can refer to the tools’ man pages to check if options related to UDP ports are available.
4.1.
nmap
and
zenmap
nmap
is helpful for network exploration and security auditing. The
-p
option scans the specified ports:
$ nmap -p $PORT_OPEN,$PORT_CLOSED,$PORT_STEALTH $IP
[...]
PORT STATE SERVICE
22/tcp open ssh
111/tcp closed rpcbind
137/tcp filtered netbios-ns
[...]
The outcome is the expected one for each port.
nmap
denotes as “filtered” the stealth port
. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that
nmap
can’t tell whether it’s open or closed. In essence,
filtered and stealth are synonyms
.
zenmap
is an
nmap
frontend. Performing the same test, we can note good-looking output:
As a side note, sometimes
zenmap
isn’t trivial to install. Fortunately, many tutorials cover installation on the various Linux distributions.
4.2.
nping
nping
is a
nmap
tool for network packet generation, response analysis, and response time measurement.
Retrying the same test, we have more verbose output:
$ nping -p $PORT_OPEN,$PORT_CLOSED,$PORT_STEALTH $IP
[...]
SENT (0.0013s) Starting TCP Handshake > 78.141.212.157:22
RCVD (0.0715s) Handshake with 78.141.212.157:22 completed
SENT (1.0040s) Starting TCP Handshake > 78.141.212.157:111
RCVD (1.0767s) Possible TCP RST received from 78.141.212.157:111 --> Connection refused
SENT (2.0071s) Starting TCP Handshake > 78.141.212.157:137
[...]
TCP connection attempts: 15 | Successful connections: 5 | Failed: 10 (66.67%)
Nping done: 1 IP address pinged in 15.04 seconds
As expected, the
handshake
succeeded with port 22 (open), the connection was rejected with port 111 (closed), and there was no response from port 137 (stealth). By default, all tests are repeated five times. That’s why we have 15 connection attempts (5 × 3 ports).
4.3.
nc
or
netcat
The
nc
or
netcat
command is a command-line utility for reading and writing data between two computer networks
. It has rich connection troubleshooting features and scripting usability.
Let’s repeat our test:
$ nc -vz $IP $PORT_OPEN
Connection to 78.141.212.157 22 port [tcp/ssh] succeeded!
$ nc -vz $IP $PORT_CLOSED
nc: connect to 78.141.212.157 port 111 (tcp) failed: Connection refused
$ nc -vz $IP $PORT_STEALTH
Once again, the results are as expected. However, the last command doesn’t terminate because the stealth port doesn’t respond, and the netcat has no timeout as default. We, therefore, terminated it with CTRL+C.
4.4. telnet
The telnet command is a user interface to the Telnet protocol. In this case, we just want to see if we can make a connection:
$ telnet $IP $PORT_OPEN
Trying 78.141.212.157...
Connected to 78.141.212.157.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
telnet> quit
Connection closed.
$ telnet $IP $PORT_CLOSED
Trying 78.141.212.157...
telnet: Unable to connect to remote host: Connection refused
$ telnet $IP $PORT_STEALTH
Trying 78.141.212.157...
It works as expected. Similar to netcat, telnet remains indefinitely on hold when we attempt to contact a stealth port. We, therefore, terminate it with CTRL+C.
We also note that our SSH server gives telnet exact information about which service is listening on port 22, complete with operating system and software version. This data, of course, has security implications in case there are known exploits for this specific version.
4.5. curl
curl is a widely used Linux tool for sending HTTP(S) requests and viewing the responses. We can still use it to ping a port:
$ curl $IP:$PORT_OPEN
curl: (1) Received HTTP/0.9 when not allowed
$ curl $IP:$PORT_CLOSED
curl: (7) Failed to connect to 78.141.212.157 port 111: Connection refused
$ curl $IP:$PORT_STEALTH
The first answer doesn’t make much sense because we have sent an HTTP request to an SSH server. However, it’s a sufficient response to discover that the port is open. The closed port and the stealth port behave as in the previous cases.
Anyway, using curl makes more sense with the protocols it supports.
4.6. hping3
hping3 sends arbitrary TCP/IP packets to network hosts. Let’s try it, being careful that we need root permissions this time:
# hping3 $IP -S -V -p $PORT_OPEN -c 1
using tun0, addr: 10.8.0.2, MTU: 1500
HPING 78.141.212.157 (tun0 78.141.212.157): S set, 40 headers + 0 data bytes
len=44 ip=78.141.212.157 ttl=50 DF id=0 tos=0 iplen=44
sport=22 flags=SA seq=0 win=42340 rtt=71.6 ms
seq=1471141328 ack=1474234392 sum=6532 urp=0
--- 78.141.212.157 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 71.6/71.6/71.6 ms
# hping3 $IP -S -V -p $PORT_CLOSED -c 1
[...]
1 packets transmitted, 1 packets received, 0% packet loss
[...]
# hping3 $IP -S -V -p $PORT_STEALTH -c 1
[...]
1 packets transmitted, 0 packets received, 100% packet loss
[...]
It’s very similar to the classic ping. However, we cannot distinguish between open and closed ports, but only between ports that respond (and thus open or closed) and ports that don’t respond (and thus stealth).
5. Conclusion
In this article, we looked at the difference between open, closed, and stealth ports and saw various ways to ping them.
It’s worth noting that port scanning and port probing can have legal consequences. The legality and ethics of these actions vary depending on the circumstances.