# nmap



## fernandel (Feb 18, 2018)

Hi!

Today I scan my system with `nmap -v -A 192.168.1.1-255` and I found six open ports. One of them is 5431. Is it okay, please?


----------



## Deleted member 30996 (Feb 18, 2018)

What ports show as open when you use security/nmap to scan your own machine is not necesarily what a scan from outside your LAN will show.

Give nmap online a try and see what it shows. Or if you have another box use it to scan the one in question.

I'd look at `sockstat -l4` and `netstat -an`, too.

/etc/services doesn't show anything for port 5431


----------



## ronaldlees (Feb 18, 2018)

Some internet sources reference this as using the 5431 port:

https://en.wikipedia.org/wiki/Universal_Plug_and_Play


----------



## fernandel (Feb 18, 2018)

I did check online and everything is okay.
For port 5431 I got:
isn't responding on port 5431 (park-agent).

Thank you.


----------



## Deleted member 30996 (Feb 19, 2018)

ronaldlees said:


> Some internet sources reference this as using the 5431 port:
> 
> https://en.wikipedia.org/wiki/Universal_Plug_and_Play



I don't show that as an open port. I don't know what is opening that port on fernandels machine but remember Universal Plug-and-Play being a problem several years ago on Windows and people being advised to disable it.

Generally, I check `sockstat -l4` and if I see a port open I make a rule to block it with pf and work from there. net/avahi as an example uses UDP port 5353 as zeroconf so it gets blocked at pf.


----------



## Datapanic (Feb 19, 2018)

sysutils/lsof is also useful for finding out what process is using what port.

For example, I have VNC server running on port 5901.  So, a simple `lsof |grep 5901` will show me:


```
Xvnc      40988      root    1u    IPv4 0xfffff80087a18820                0t0     TCP nas01.cdor.net:5901 (LISTEN)
```

So, off to the left there above, I can see Xvnc was found to be listening on port 5901 with PID 40988.  So, `ps -auxfwp 40988` (empahsis on the "p" will show me even more info:


```
USER   PID %CPU %MEM   VSZ   RSS TT  STAT STARTED    TIME COMMAND
root 40988  0.0  0.1 65188 10996 18  I    Thu19   0:28.22 Xvnc :1 -interface 10.10.10.10 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xaut
```


----------



## SirDice (Feb 19, 2018)

No need for it, we have sockstat(1): `sockstat -46`


----------



## fernandel (Feb 19, 2018)

I did try sysutils/lsof and I got:

```
lsof |grep 5431
gnome-ses  8758      fernandel  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
gnome-she 31858      fernndel  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
tracker-m 44838      fernandel  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
hald      53972  haldaemon  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
hald-runn 54045       root  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
goa-daemo 54666      fernandel  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
mission-c 57253      fernandel  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
python2.7 59443      fernandel  txt     VREG               0,97             190965 42155431 /usr/local/lib/libdbus-glib-1.so.2.3.3
```


----------



## fernandel (Mar 4, 2018)

SirDice said:


> No need for it, we have sockstat(1): `sockstat -46`


I am runing GNOME 3 and I did run `sockstat -46` and I got:

```
root     sendmail   97232 3  tcp4   127.0.0.1:25          *:*
root     cupsd      30062 6  tcp6   ::1:631               *:*
root     cupsd      30062 7  tcp4   127.0.0.1:631         *:*
_ntp     ntpd       79463 7  udp4   192.168.1.2:34752     198.50.238.156:123
_ntp     ntpd       79463 8  udp4   192.168.1.2:42334     198.58.110.84:123
_ntp     ntpd       79463 9  udp4   192.168.1.2:24011     38.126.113.11:123
_ntp     ntpd       79463 10 udp4   192.168.1.2:51415     216.187.142.202:123
?        ?          ?     ?  tcp4   192.168.1.2:60974     192.0.73.2:443
```
I do not know what is the last one/ Am I hacked?

Thank you.


----------



## ShelLuser (Mar 4, 2018)

Well, 443 is basically an HTTPS port. So at first glimpse I'd say this indicates an outside connection to a web server using HTTPS. I do agree that the question marks look odd, However, this seems to be somewhat covered in sockstat(1):



> If a socket is associated with more than one file descriptor, it is shown
> multiple times.  If a socket is not associated with any file descriptor,
> the first four columns have no meaning.


So my bet is on the latter: a socket which isn't associated with any file descriptor.

And what do you know...  Running `lynx https://google.com` in one console gives me these results in the other:


```
root     syslogd    591   6  udp6   *:514                 *:*
root     syslogd    591   7  udp4   *:514                 *:*
?        ?          ?     ?  tcp4   10.0.1.5:40728        209.85.203.94:443
```
Ergo: you're not hacked, this is standard behavior.


----------



## Nicola Mingotti (Mar 5, 2018)

I also see three lines like yours

```
?        ?          ?     ?  tcp4   172.16.0.150:52181    216.58.198.46:443
?        ?          ?     ?  tcp4   172.16.0.150:52182    216.58.205.132:443
?        ?          ?     ?  tcp4   172.16.0.150:52185    93.184.220.29:80
```

Then, I did the following, start to kill applications untill they disappear.
They did not go, even if I killed X .

So I rebooted and started one application at a time checking
`sockstat -4`.
To, me they appear in the moment I load "WhatsApp Web" from Firefox.

I go to sleep, bye !

.... last last test. I run "chromium" and I see

```
?        ?          ?     ?  tcp4   172.16.0.150:12346    216.58.198.46:443
?        ?          ?     ?  tcp4   172.16.0.150:12347    216.58.198.46:443
?        ?          ?     ?  tcp4   172.16.0.150:12348    216.58.205.35:443
?        ?          ?     ?  tcp4   172.16.0.150:12349    216.58.198.33:443
?        ?          ?     ?  tcp4   172.16.0.150:12350    216.58.198.46:443
?        ?          ?     ?  tcp4   172.16.0.150:12351    216.58.198.35:443
?        ?          ?     ?  tcp4   172.16.0.150:12352    216.58.198.35:443
?        ?          ?     ?  tcp4   172.16.0.150:12353    216.58.205.66:443
```

After a few seconds these lines go.

The question is, why is there a questoin mark and not the name "chrome" or "firefox" ?


----------



## PacketMan (Mar 5, 2018)

So I decided to try these commands and I was surprised to learn something.  In my connections list I see private IPv4 (RFC1918) addresses. I was surprised to see these because the nodes are not on the LAN, but are other nodes that are NATed to other public IP addresses. In other words the connections list did not show the public (outside) IP address for these nodes, but rather it showed the private (inside) IP address. Interestingly these were in SYN_SENT state and not Established.  This activity is associated with a particular program I have installed. I will have to deep dive that soon.


----------



## ronaldlees (Mar 6, 2018)

The question marks are normal.  Here's a thread that talks about it:

https://forums.freebsd.org/threads/...tion-marks-when-trying-to-close-socket.46695/


----------



## Nicola Mingotti (Mar 6, 2018)

ronaldlees said:


> The question marks are normal.  Here's a thread that talks about it:
> 
> https://forums.freebsd.org/threads/...tion-marks-when-trying-to-close-socket.46695/



I copy here for others who may be interested,
-----------
*About the question marks* displayed by sockstat:
This is most probably because the process the socket belonged to has terminated (i.e. there's no useful information available). The kernel, however, has to keep the socket around for a while because closing a TCP connection requires a 4-way handshake and the process terminated after the first round.
-----------


----------

