blog.dideriksen.org: Look and LISTEN

To find all listening deamons on your box use the lsof command and grep for LISTEN. See the lsof man page for details. So what's running on your machine?

$ lsof -i | grep LISTEN

SpotifyWe 427 bob 6u IPv4 0xfadf3f229c048281 0t0 TCP localhost:4370 (LISTEN)

SpotifyWe 427 bob 7u IPv4 0xfadf3f229c048b79 0t0 TCP localhost:4380 (LISTEN)

NDSPCShow 13355 bob 45u IPv4 0xfadf3f22ae9d6ea1 0t0 TCP localhost:9012 (LISTEN)

NDSPCShow 13355 bob 46u IPv4 0xfadf3f22af352b79 0t0 TCP localhost:dynamid (LISTEN)

Google 98152 bob 219u IPv4 0xfadf3f22a1e07091 0t0 TCP 192.168.87.102:freeciv (LISTEN)

Google 98152 bob 225u IPv4 0xfadf3f22a26b6091 0t0 TCP localhost:freeciv (LISTEN)

This shows that I currently have 6 listening deamons connected to 6 ports. All of these are TCP deamons. The NDSPCShow with PID 13355 is a process I'd like to kill and ensure that it never starts again. I dunno what this process actually does nor can I find any information regarding it.

Lsof uses the keywords LISTEN, ESTABLISHED, TCP, UDP etc to display the type and status of the connection. Check man lsof for details. But lsof is not the only program that shows this status netstat is another option. To see the processes that uses a socket connection on your machine.

$ netstat -an | grep LISTEN
tcp6 0 0 ::1.587 *.* LISTEN
tcp4 0 0 127.0.0.1.587 *.* LISTEN
tcp6 0 0 ::1.25 *.* LISTEN
tcp4 0 0 127.0.0.1.25 *.* LISTEN
tcp4 0 0 127.0.0.1.5556 *.* LISTEN
tcp4 0 0 192.168.87.102.5556 *.* LISTEN
tcp4 0 0 127.0.0.1.9002 *.* LISTEN
tcp4 0 0 127.0.0.1.9012 *.* LISTEN
tcp4 0 0 127.0.0.1.4380 *.* LISTEN
tcp4 0 0 127.0.0.1.4370 *.* LISTEN
tcp4 0 0 *.88 *.* LISTEN
tcp6 0 0 *.88 *.* LISTEN
tcp4 0 0 127.0.0.1.49153 *.* LISTEN
tcp4 0 0 127.0.0.1.49152 *.* LISTEN
tcp4 0 0 127.0.0.1.3310 *.* LISTEN
tcp46 0 0 *.80 *.* LISTEN
tcp4 0 0 *.445 *.* LISTEN
tcp6 0 0 *.445 *.* LISTEN
tcp4 0 0 *.5900 *.* LISTEN
tcp6 0 0 *.5900 *.* LISTEN
tcp4 0 0 *.548 *.* LISTEN
tcp6 0 0 *.548 *.* LISTEN

Again you can use the LISTEN etc. keywords to see the state of the connection. Yet another option is Knockknock. Knockknock is a python script that can be used to check which resources you have that may be malicious. Knockknock is available on github. You download and install it using git i.e.

$ git clone https://github.com/synack/knockknock.git

Then cd to the knockknock directry and execucute it. Here is how you find all running processes using knockknock.

$ sudo ./knockknock.py
<snipped>

[Chrome Browser Extensions]

Weebly - Website Builder

description: Easily create a free site, blog or online store. No technical skills required. Hosting included.

id: cnocophcbjfiimmnhlhleaooedeheifb

path: /Users/bob/Library/Application Support/Google/Chrome/Default/Extensions/cnocophcbjfiimmnhlhleaooedeheifb/1.0.5_0

None

description: None

id: kfcfceejhleedfbabanmaamfiagjhncj

path: None

The above shows the output from the knockknock python program. It can be used to see all browser extentions and processes that use your network connection. This way you can inspect any connections to see if there are any suspicious ones.

With fuser you can list all the open files on your OSX box. It'll give you the user and file handle for all open files. The output is really really cluttered in my opinion, so I'm sticking to the above alternatives.

July 08, 2016

Look and LISTEN

No comments: