Listen Sockets, Ports and Telnet
Contents
Motivation
Here we learn how a server programm is connected to the network and how you can test that connection. When we are logged in to a server we do not know much about, it is always a good idea to first investigate which ports it is listening on.
Listen Sockets
When programs connect via the network, they use the system libraries to open so called sockets
. Sockets are like similar to files: You can open and close them and read and write from them. For services where other clients connect to we have so called
listen sockets
.
Linux offers so called unix domain sockets
which are look like files but are actually connections between programs. Similar to that there are named pipes
which are can be even opened with regular file operations. But these 2 are only useful for communication between processes on the same machine.
For network connections there are network sockets. A server chooses to open a network port and tells the operation system that it wants to listen there for incoming calls. Once the kernel receives packets form the network that the connection is established and the server can communicate with the other end. Most servers then fork off some process that handles the communication and the main program continues to listen for additional connections.
For IP packets there are 16bit port numbers and the most used protocols are TCP (for end-to-end connections where the server program only wants a data-stream and is not interested in the details of the connection - e.g. a weeb server) and UDP which consists of small datagram
packets. The server is responsible there to deal with issues like lost packets and even packets received in different order.
| Port Number | Protocol | Service |
|---|---|---|
| 22 | TCP | SSH - secure shell |
| 25 | TCP | SMTP - sending mails between server |
| 80 | TCP | HTTP - un-encrypted web. |
| 443 | TCP | HTTPS - encrypted web |
| 53 | UDP | DNS - Domain Name Service |
netstat and ss
When we want to know what kind of network connections are currently active and which server daemons are listening on incomming ports we can use the netstat command. There is also the newer ss tool that is supposed to replace netstat. (See: https://www.linux.com/topic/networking/introduction-ss-command/ )
Here are a few use-cases to display information with netstat and also the corresponding ss command.
# netstat -nt --listen -p Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 743/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 760/cupsd .. # ss -l -t -p ..
-n suppressed the translation into DNS names. -t means "tcp" only. and -l or --listen is for listen sockets. -p also shows information about the process. Instead of -t you could also use -u. Without the --listen you will see established connections.
In the above example you see that some services are listening on port 0.0.0.0 while others are listening on a specific IP addess. In the case above 127.0.0.1. If a services listens on 0.0.0.0 this is a joker: it means: all IP addresses of any network card of the server are allowed. If it uses specific addresses then the service is only available there. So if you only need a service on your own computer: bind it to 127.0.0.1, etc..
CLI Tools for Opening Connections
telnet
The classical tool to open a TCP connection is telnet. Telnet was initially used in the same way we use SSH today - but it had no encryption. But instead of connection to a telnet server port the telnet tool can connect to any TCP port.
E.g. You could connect to the port of a web server and pretend to be a browser:
$ telnet www.orf.at 80 Trying 194.232.104.142... Connected to www.orf.at. Escape character is '^]'. HEAD / HTTP/1.1 400 Bad Request Date: Sun, 29 Mar 2020 19:25:49 GMT Server: Apache Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host.
.
You need to type the HEAD /. If you ever connect where you do not know how to close the connection: You can type Ctrl-] and then type quit.
Of course we can connect to services on our own host. Often all we want to know if someone takes the connection or not. E.g.:
$ telnet 127.0.0.1 1234 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused
Above we try to connect to our own server and port 1234.
If you can not connect you either get the connection refused. (If the remote end tells you that there is no service) or you are just waiting and waiting (If the there e.g. is a firewall that drops packets to that port).
netcat, nc, ncat make your own listen socket
netcat is kind of a swiss-army knife tool for network connections. There are 3 different versions which are sometimes installed with the same name.
You can find out which of those exist by trying the option -h with the above command. In my case i have install ncat with comes from the nmap tools (usefull to scan networks for hosts that answer). On my machine all 3 command: netcat nc and ncat are aliases to ncat.
So I will show you the ncat version of nc:
Here we connect but use the pipe to directly send the "HEAD /" to get response from the server:
$echo HEAD / | ncat www.orf.at 80 HTTP/1.1 400 Bad Request Date: Sun, 29 Mar 2020 19:42:34 GMT Server: Apache Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 ...
With nc, netcat, ncat we can also create a listen socket:
$ ncat -4 -l 1234
The above opens a listen socket on port 1234 (for IPv4 only). If we want to connect to this service we can open telnet connection in an other terminal windows:
$ telnet localhost 1234
What you type here will show up on in the terminal where you run the ncat command.
services that use ssl
Of course when you use telnet or netcat, nc or ncat to connect to a server port, we can only make sense of the data if it is in clear text. Even if it is not in clear text, we at least see if we can get a connection there or not. Today, a lot of services use SSL to encrypt the connection.
The ncat tool can do ssl. E.g:
$ ncat -v --ssl www.orf.at 443 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: SSL connection to 194.232.104.140:443. Oesterreichischer Rundfunk Ncat: SHA-1 fingerprint: 6548 19AB AEA8 7E06 2620 D7CE 7966 48DD 4692 CE75 ^C
The -v option shows some debugging info. Here the name of the certificate used by the other side.
An other tool is openssl. We will learn about that later.
Exercises
- use netstat and/or ss to see what network connections are established and which listen sockets exist.
- user telnet and/or netcat or ncat or nc to connect to a port of a server
- use nc or netcat or ncat to establish a listen socket and then connect to this via another nc or telnet
- try to connect to a random port and see if you are rejected or if the packets are dropped (long wait).
- if you have ncat: try also an ssl port. (e.g. an https service)
