I must concede, spying on a network (and everything and everybody on it) is just candid fun. Imagine, silently typing on your keyboard, exploring a network, examining what things are there and what they are up to. How would this not be equally intriguing as reading a mystery novel?

But do you know how to scan your local network How to find its vulnerabilities?

So few of us know how to do this. How do you get a list of every open port on your computer? Or of every connection to the WiFi? This topic is often discussed on a theoretical level, but very rarely with a practical approach. That is why all talks on cybersecurity and hacking are always full to the last seat. We want to know about this, we want to learn. And yes, we absolutely do want to spy on everybody :sunglasses:.

The following guide describes how to inspect your network in Linux.

We will start with ourselves

First, we have to figure out where we are, do we have a network connection? How many do we have?

To get a list of currently active network connections, we will use the very convenient ip command. ip has been replacing the ifconfig command since iproute2 tools became available.

ip addr show will show us everything that has an IP address, a MAC address or is pretending to have one (i.e. veth - Virtual Ethernet Device).

$ ip -c address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp58s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 8c:b2:e0:dc:54:a3 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.8/24 brd 10.0.0.255 scope global dynamic noprefixroute wlp58s0
       valid_lft 82821sec preferred_lft 82821sec
    inet6 fe80::b444:f37b:b13a:e017/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 38:40:e5:43:ef:cc brd ff:ff:ff:ff:ff:ff
    inet 172.17.15.3/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe40::e2:35ff:de4f:cf3c/64 scope link 
       valid_lft forever preferred_lft forever
5: br-9ad7ea412ea4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:e8:7a:de:e1 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-9ad7ea412ea4
       valid_lft forever preferred_lft forever

How to read the above? Immediately, you can see 4 sections: lo, wlp58s0, docker-0 and br-9ad7ea412ea4.

lo stands for localhost (archaically called loopback).

Most of you probably already know, but let’s state it clearly nevertheless: this address is used for internal testing of network services. It is implemented entirely within your computer and is not accessible from the outside (from other computers, devices, the internet).

From the 3rd line of its description (inet 127.0.0.1/8), we can see that its IP address 127.0.0.1, just as expected.

wl... stands for wireless LAN, this is our wireless connection to our immediate network. In the 3rd line (inet 10.0.0.8/24) we can see that its IP address is 10.0.0.8.

10.0.0.8 is an interesting address, it is the public IP address of our computer. Other devices on our network see our computer as the host 10.0.0.8. But because the IP starts with 10.- we also know that this is a private network, our computer is not accessible from the internet.

Which IPs are private again and which public? The IETF’s standard (document RFC-1918) explains that IP addresses 10.0.0.0 - 10.255.255.255 are reserved for the private IP space and cannot be routable on the global internet. (Together with a few addresses in the 172.- and 192.- blocks)

wl... appears only if you have a wireless interface or adapter. If your connection to a network is via a cable, then you are looking for a connection called eth....

If there are several wired or wireless interfaces available, all will be listed.

In the inet6... line of each section we can see the various MAC addresses of each device.

To see only the list of MAC addresses, run ip -c link show.

What role do Docker containers play?

Did you know or, better, did you pay attention, to the detail that every Docker install comes with a bridge network?

This is what the above docker0 is referencing.

As long as no containers are running, the bridge docker0’s status is DOWN.

What happens if I now start a few Docker containers and run ip -c addr show again?

I get a veth.. section for every container. veths are virtual ethernet connections. They always come in pairs, one is created in the localhost namespace, and the other in the namespace of the container’s network.

$ ip -c address show
---------------------snip------------------------
257: veth896c58e@if256: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-a8510d99f31a state UP group default 
    link/ether c2:9e:33:ca:84:7c brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::c09e:33ff:feca:847c/64 scope link 
       valid_lft forever preferred_lft forever
253: br-a8510d99f31a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:f3:d5:7e:63 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-a8510d99f31a
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f3ff:fed5:7e63/64 scope link 
       valid_lft forever preferred_lft forever
255: vethe88a763@if254: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-a8510d99f31a state UP group default 
    link/ether 9a:ec:54:83:3e:a8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::98ec:54ff:fe83:3ea8/64 scope link 
       valid_lft forever preferred_lft forever

Who else is here?

The next step in our “Practical guide with examples” is to figure out what services we are exposing to others on this network. We will use nmap.

nmap is a great tool for network exploration and security auditing. It is also open-source and very straightforward to use.

nmap researches which hosts are available on the network, what services those hosts offer, what OS they are running, what type of packet filtering/firewalls are in use, …

BE CAREFUL! Scanning random servers can get you in trouble!

From the above, we learned that our computer has 2 IP addresses, the localhost 127.0.0.1 and the network address 10.0.0.8. Both of these represent our computer. Everything on localhost is visible only from our computer and everything on 10.0.0.8 is visible to every device on this network.

localhost

The good news is that these 2 IPs do not overlap by default. What is accessible on 127.0.0.1 is not by default accessible on 10.0.0.8. We have to put in extra effort to make something from our localhost visible to the network. But the bad news is that sometimes we are running services, which by default ARE visible to everybody on our network. 😨 And let us be honest, 99.99% of us are not sure which services these are.

Thus, let’s ask the computer which ports are open.

What is hooked to localhost?

nmap is truly simple to use. It does have lots of settings, but for starters (because we are scanning localhost and not spamming a random server) it is enough if we just give it an IP address.

Just short note, scanning TCP ports (-sT) is much faster than scanning UTP ports, and checking the status of just 1 port (-p 80) is vaaaastly faster than scanning all ports.

Because ..localhost, we’ll scan everything:

$ nmap 127.0.0.1

Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
1010/tcp open  surf
1111/tcp open  lmsocialserver
1500/tcp open  vlsi-lm
3306/tcp open  mysql
5432/tcp open  postgres
4000/tcp open  remoteanything

Ok, how does one read this? Is this list too long, too short, just right? It is localhost, after all, it is not accessible to others.

Localhost or not, the rule with ports is very simple:

Keep all ports closed, except the ones you are using!

I went through the above list and instantly understood all but the first 3 ports:

port service explanation
139/tcp netbios-ssn ?
445/tcp microsoft-ds ?
631/tcp ipp ?
1010/tcp surf “ok, a Docker port”
1111/tcp lmsocialserver “ok, another Docker port”
1500/tcp vlsi-lm “ok, another Docker port”
3306/tcp mysql “ok, yet another Docker port”
5432/tcp postgresql “ok, I have a PgSQL server running”
4000/tcp remoteanything “ok, Jekyll is running on this port”

To learn more about these 3 ports, we can use -A to enable OS detection, version detections, script scanning and traceroute and we can limit the scan to only 1 port with -p 631.

$ nmap 127.0.0.1 -A -p 139
Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000089s latency).
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba 4.10-Ubuntu (workgroup: ABCD)
Service Info: Host: MON
Host script results:
|_nbstat: NetBIOS name: MON, ....
| smb-os-discovery: 
|   OS: Windows ......
|_  System time: ....
| smb-security-mode: 
|   account_used: ...
|   authentication_level: ...
|_  message_signing: ....
------------------snip------------------------------------

This is one way of figuring out more about these ports, a far more efficient way is to google them all 😄.

After googling the other 3, I discovered that:

  • 631 is used to communicate with the printer. This makes sense since there is a printer right next to me 😌.

  • 445 is used for a Microsoft service for file sharing. And it appears that this is a horrible port to have open 😱. For a long time this port has been known as a horrendous security hole:

    “As you might imagine, malicious hackers have been having a field day scanning for port 445, then easily and remotely commandeering Windows machines.” — Gibson Research Corporation

  • 139 is also used for file sharing to Windows computers. Apparently, it is not that terrifying to have this one open.

I just created some work for myself. I will have to deal with 445 and 139. Soon. There is a reason why computer administration is a full-time job.

But, I will definitely check who else has 445 open at work 🍹.

(later that week): Ha, 12 other hosts have 445 open. I guess I will have to share the knowledge and offer to explain the danger. Again, more work.

Who said knowledge is power? Knowledge is mostly work.

What are we sharing with everybody on the network?

After the 445 gave us a scare, we might have brushed it off thinking, “It is only localhost, localhost ports are most probably not really dangerous, .. I think. They are at least benign enough for me to procrastinate on closing them for a few days/months. It is the public ports, which I will concentrate on”.

So let’s see, what is visible to other devices on our network.

$ nmap 10.0.0.8

Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for Mon (10.0.0.8)
Host is up (0.00020s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1500/tcp open  vlsi-lm
3306/tcp open  mysql
8080/tcp open  http-proxy
8888/tcp open  sun-answerbook
9000/tcp open  cslistener

Uh-oh, 💀 the dreaded 139 and 445 are open… Which makes sense, since they are meant for file sharing between computers, not between this computer and itself. This will need my attention ASAP.

But first, 😉 why are all the Docker ports visible to everybody? Ah… this is turning into a much bigger mess than anticipated.

After some googling, I learnt that by default Docker exposes ports to the IP address 0.0.0.0 and not 127.0.0.1. The 0.0.0.0 address is a placeholder address, its meaning is similar to that of a * in a regex. Saying “Expose 0.0.0.0:30” means expose the port 30 on all IP addresses, thus also our public 10.0.0.8.

Each time you mapped a Docker port to an outside port, you were making this port publicly accessible. Great!

services:
  web:
    ...
    ports:
      - "1010:80"
      - "1111:8888" 
  db:
    image: 'mysql'
    ...
    ports:
      - "1500:3306"

So, to remedy this, I might want to update the docker-compose.yml files by explicitly binding ports to IPs. Once this is done, nmap no longer shows Docker ports among the publicly open ports.

Perfect, we finally have all ports accounted for.

Now we can move on to …

Who else is here?

For starters, let’s check which WiFi network we are connected to. Let’s run nmcli dev wifi:

$ nmcli dev wifi
IN-USE  SSID                    MODE   CHAN  RATE        SIGNAL  BARS  SECURITY  
        MANET-1                 Infra  44    405 Mbit/s  100     ▂▄▆█  WPA2      
*       MANET-2                 Infra  1     195 Mbit/s  83      ▂▄▆█  WPA2      
        MANET-3                 Infra  1     130 Mbit/s  77      ▂▄▆_  WPA1 WPA2

nmcli will display a brief summary of all available wifi access points (APs). It can also be used to connect to a selected network (nmcli dev wifi connect MANET-3).

Given that we have 3 wifi networks, we should definitely scan all 3 of them. But for starters, let’s see what is on MANET-2. We will use nmap.

To see which other hosts are “up”/“live” on our network, we need to know our IP address and our subnet mask. From running theip command, we got both these details: 10.0.0.8/24.

A quick reminder of what a subnet mask is. The IPs of all hosts in the same network start with the same bits, only the last bits are different. Our subnet mask /24 means that the first 24 bits will be the same. Given our IP 10.0.0.8/24, we know that all hosts in our network will be between 10.0.0.1 and 10.0.254 (10.0.0.0 is the network address and 10.0.0.255 is used for broadcasting).

To quickly see all devices on my network, run nmap with the option -sn. This means nmap will no scan the ports, it will just return a list of “live” hosts:

$ nmap -sn 10.0.0.8/24

Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for _gateway (10.0.0.1)
Nmap scan report for 10.0.0.3
Nmap scan report for 10.0.0.4
Nmap scan report for 10.0.0.5
Nmap scan report for MON (10.0.0.8)
Nmap scan report for 10.0.0.9

Nmap done: 256 IP addresses (6 hosts up) scanned in 15.31 seconds

There are 6 active hosts in our network. 10.0.0.1 is the gateway, the router connecting our private network to the internet. 10.0.0.8 is us (our computer’s name is MON).

network-step-1

But who are the others?

To learn more about them we can run nmap with:

-sV, to see which services are listening on which ports, -sS, for the quickest and relatively stealthy scan, -O, to enable OS detection, -A, to enable OS detection and other features -p 80, to check only the port 80 -sT, to scan only TCP ports (scanning TCP ports is much quicker than scanning UTP ports).

Investigating host 10.0.0.3 reveals:

$ sudo nmap -sS 10.0.0.3  -A

Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for 10.0.0.3
PORT   STATE SERVICE VERSION
80/tcp open  http    GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-title: Range Extender
|_Requested resource was http://10.0.0.3/login.asp
MAC Address: 09:0A:XX:XX:XX (Tenda Technology)
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
Network Distance: 1 hop

Nmap done: 1 IP address (1 host up) scanned in 20.60 seconds

Look at the line | http-title: Range Extender and OS details: VxWorks. This host is just a WiFi range extender. A quick google search of OS VxWorks reveals a pretty awesome Wiki page explaining that this OS is used for embedded systems, that the Mars rovers are using it, as well as the ASIMO robot and a bunch of auto manufacturers. And here I am using it to merely extend my WiFi range. This is the technology that went to Mars and I paid 40€ for the hardware, software, transportation, design,… Feels like uncovering a small jewel.

network-step-2

Investigating host 10.0.0.4 reveals:

$ nmap -sS 10.0.0.4  -A

Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for 10.0.0.4
PORT     STATE SERVICE         VERSION
80/tcp   open  http            nginx
8008/tcp open  http?
8009/tcp open  ssl/ajp13?
| ssl-cert: Subject: commonName=XXXXXXXXXXXXXXXXXXXXX
8443/tcp open  ssl/https-alt?
9000/tcp open  ssl/cslistener?
MAC Address: XXXXXXXXX (Hon Hai Precision Ind.)
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (87%)
OS CPE: cpe:/h:fortinet:fortigate_100d
Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%)
No exact OS matches for host (test conditions non-ideal).

Nmap done: 1 IP address (1 host up) scanned in 187.96 seconds

This is an interesting device, it runs a full-fledged Nginx web server. And it seems to have been built by Hon Hai Precision Ind., a Taiwanese electronics contract manufacturer. Since they are a contractor, we are no closer to figuring out what device this is. The Fortinet FortiGate is a professional firewall. 3 ports are protected by SSL (the connections are encrypted).

Not knowing what this device is, is actually a happy surprise. Some people have put at least some effort into making sure this device demands a bit of know-how and effort to crack.

After checking manually, it turns out it is the TV.

network-step-3

Checking 10.0.0.5 was an enigma. nmap couldn’t figure out anything. I ran it with all kinds of settings, I’ve tried out all kinds of approaches, but the main problem was that this device had all ports closed. Everything. Each and every one of them.

It should come as no surprise that a port-scanning tool isn’t good at figuring out a device, which has all its ports shut. 😅

I checked manually and it was an Android smartphone.

network-step-4

Last one to go! What is 10.0.0.9?

$ nmap 10.0.0.9 -sT

Starting Nmap 7.60 ( https://nmap.org )...
Nmap scan report for 10.0.0.6
PORT      STATE SERVICE
62078/tcp open  iphone-sync

Nmap done: 1 IP address (1 host up) scanned in 40.79 seconds

What a surprise, this device practically introduced itself. It appears to be an iPhone, which apparently likes to sync something via this port.

network-step-5

Googling this port proved to be very Apple-like: lots of rumours lots of guesses, no official explanation. From what is written about this port, it seems to be used by iTunes for data-syncing on a WiFi network. I do wonder how often this syncing is happening and if the owner of this phone, knows about it.

Try nmap today

With just a few nmap commands I was able to learn a great amount about the devices on my network. Pretty good, considering I just learned about this tool recently.

Now it is your turn, check your devices and your networks and try not to get in trouble.

External sources