How to Scan for Open Ports in Linux

Open ports often pose a possible security threat to the system.

It is essential to keep open ports to a bare minimum by performing a scan of all the possible TCP and UDP ports using the Linux terminal.

Security administrators and hackers often scan ports to check the availability of open ports in Linux. Furthermore, the port scan could be for security or vulnerability assessment. Before starting with the port scan, make sure that it is not against the law in the country as some countries consider it illegal.

This article discusses various ways in which you can scan open ports from the Linux command line.

What is a Port?

A port is a 16-bit number ranging from 0 to 65535. The following list shows several categories of ports:

  • Well known Ports (0 to 1023) 
  • Registered Ports (1024 to 49151)
  • Dynamic Ports (49152 through 65535)

Moreover, there are various well known universal ports, out of which few are listed below:

  • 20: FTP data
  • 22: SSH
  • 53: DNS services
  • 80: HTTP – Unencrypted Web traffic
  • 143: IMAP mail port
  • 443: HTTPS – Secure web traffic
  • 587: SMTP – message submission port

To get the list of ports on the system, execute the following command. The common parts are found in /etc/services the file.

$ sudo less /etc/services
list of open ports

To learn more about ports, check the details given on this Wikipedia page.

What is an Open Port?

An open port is a port that is ready to listen to incoming traffic from the outside locations. For instance, if a web service listens to ports 80 and 443, and both of these are open, then anyone from the remote location can easily access the websites hosted on that web server. 

Open ports are a security risk to an organization. The attackers can easily exploit these ports. To decrease the risk, you must close all the ports except for the ones needed for functionality.

Let’s dive into the various methods used for scanning open ports.

Method 1: Using Nmap to Scan Open Ports

Nmap is the most important tool to listen to open ports. It is the most diverse tool. Moreover, you can use it to assess vulnerability assessment and fingerprinting operating systems. Nmap also has a GUI called Zenmap. 

  1. Install Nmap using either apt, yum, or dnf package, depending on your Linux distribution. 
$ sudo apt install nmap
$ sudo dnf install nmap
$ sudo yum install nmap
  1. After installation, run the following command to get a complete list. The execution might take slightly longer.
$ sudo nmap -n -PN -sT -sU -p- localhost
nmap command
  1. To scan the particular host on the Nmap, type the command with the hostname, and this will list the open ports and services.
$ sudo nmap

The command will show the output similar to the one given below:

list of open ports using nmap
  1. To scan for UDP ports, use -sU flag with the nmap command. This might require root privilege. Apart from these flags, some commonly used flags are:
  • -p- : Scan for all ports
  • -sT : TCP scan
  • -O: Scans for the running operating system 
  • -T[1-5]: Sets the scanning speed

Method 2: Using Netstat Command

Netstat is a widely used command to print all the open ports in Linux systems. To use netstat, run the following command in the terminal:

$ sudo netstat -ltup
scanning ports using netstat command

You can also use Netstat with the grep command to identify which application is listening to which port. Furthermore, you can also use it to find which particular port is tied to which application.

To only listen to open ports using netstat, type and execute the following command:

$ sudo netstat -tulpn | grep LISTEN
open ports using netstat command

Method 3: Using ss Command

Like netstat, the ss command is used to display open ports in a system. Execute the command given below to view open ports using ss:

$ sudo ss -lntup
scanning ports using ss command

Method 4: Using lsof Command

This command lists all open files. Since Linux treats everything as a file, this command could scan for an open stream or a network file. Run the command as:

$ sudo lsof -i
$ sudo lsof -i -P -n | grep LISTEN
scan ports using lsof command

The grep command will show only those ports that are in the LISTEN state. 

Method 5: Using Netcat to Scan Open Ports

  1. Netcat is a port writer used to scan TCP and UDP ports. To install Netcat, type:
$ sudo apt install netcat-traditional -y
installing netcat
  1. To scan using Netcat, type the keyword nc with domain and port number. 
$ sudo nc -z -v 80
  1. Executing the command will display the output similar to this: [] 80 (http) open
  1. To use Netcat with a range of port numbers, execute the command given below:
$ sudo nc -z -v 20-80

The output will look something like this (if the domain is personal):

nc: connect to port 20 (tcp) failed: Connection refused
nc: connect to port 21 (tcp) failed: Connection refused
Connection to 22 port [tcp/ssh] succeeded!
Connection to 80 port [tcp/http] succeeded!

Otherwise, it will keep on waiting for the connection like the image given below:

Scan open port using netcat

Method 6: Using Unicornscan to Scan Open Ports

Unicornscan is a tool designed to scan network vulnerabilities. It provides various comprehensive features as compared to Nmap. Just like Nmap, you need to install it first. 

  1. To install Unicornscan, execute the command given below:
$ sudo apt-get install unicornscan -y
unicornscan installation
  1. After that, run using the keyword with IP address.
$ sudo unicornscan -v -I
Scan open port using Unicornscan

Scanning for open ports in Linux is equally essential for security administrators, developers, security experts, and gamers. This article discussed various ways in which you can check the open ports in Linux. No single command is more perfect than the other. All of them are equally useful and provide the required information. Thus, the users can use it as per their needs.

Leave a Reply
Related Posts