{"id":599,"date":"2012-09-25T23:10:20","date_gmt":"2012-09-25T23:10:20","guid":{"rendered":"https:\/\/trouble.org\/?p=599"},"modified":"2012-09-25T23:10:20","modified_gmt":"2012-09-25T23:10:20","slug":"lsof-lite-iiiiii","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=599","title":{"rendered":"lsof lite (III\/III)"},"content":{"rendered":"

Finally one that looks at a process and tells you what ports its listening to.<\/p>\n

WPCM450 \/tmp]$ ps |grep ssh
\n 1263 root       4532 S   \/sbin\/sshd -g 60
\n 9730 root       9412 S   sshd: root@pts\/0    
\n10571 root       3556 R   grep ssh
\n[WPCM450 \/tmp]$ .\/lsof-net-pid.sh 1263
\nPID 1263 is listening on tcp6:22
\nPID 1263 is listening on tcp:22<\/div><\/div>\n

Small script. Vicious haxx0r sed line in there (written by someone else, obviously!)<\/p>\n

:
\n
\n#<\/span>
\n# busybox - find network ports being listened to by pid<\/span>
\n#<\/span>
\n
\nif<\/span> [<\/span> "X$1"<\/span> == "X"<\/span> ]<\/span> ; then<\/span>
\n   echo<\/span> Usage: $0<\/span> pid
\n   exit<\/span> 1<\/span>
\nfi<\/span>
\n
\npid<\/span>=$1<\/span>
\nfd<\/span>="\/proc\/$pid<\/span>\/fd"<\/span>
\n
\n# this gives inodes of sockets pid is listening to<\/span>
\ninodes<\/span>=`\/<\/span>bin\/<\/span>ls<\/span> -l<\/span> $fd<\/span> |<\/span> grep<\/span> socket: |<\/span> awk<\/span> '{print $NF}'<\/span> |<\/span> sed<\/span> -e<\/span> 's\/socket:\\[\/\/'<\/span> -e<\/span> 's\/\\]\/\/'<\/span>`<\/span>
\n
\nif<\/span> [<\/span> "X$inodes<\/span>"<\/span> == "X"<\/span> ]<\/span> ; then<\/span>
\n   echo<\/span> $pid<\/span> isn\\'<\/span>t listening to any external network ports I could find<\/span>
\n   exit<\/span> 2<\/span>
\nfi<\/span>
\n
\nfor<\/span> inode in<\/span> $inodes<\/span> ; do<\/span>
\n   # echo $inode<\/span>
\n   # check out if any matches in \/proc\/net (busybox doesn't have per pid net entries)<\/span>
\n
\n   # this line will print out something like \/proc\/net\/tcp, 00000000000000000000000000000000:0016, 4535<\/span>
\n   awk<\/span> '$10 == '<\/span>"$inode<\/span>"<\/span>' {print FILENAME, $2, $10}'<\/span> \/<\/span>proc\/<\/span>net\/<\/span>?cp<\/span>*<\/span> |<\/span> while<\/span> read<\/span> proto port inode ; do<\/span>
\n      if<\/span> [<\/span> "X$proto<\/span>"<\/span> !<\/span>= "X"<\/span> ]<\/span> ; then<\/span>
\n        echo<\/span> -n<\/span> "PID $pid<\/span> is listening on "<\/span>
\n        echo<\/span> -n<\/span> $proto<\/span> |<\/span> sed<\/span> 's@^.*net\/@@'<\/span>
\n        echo<\/span> -n<\/span> ":"<\/span>
\n      #<\/span>
\n      # more busybox hoop jumping... sometimes like ice skating with roller skates<\/span>
\n      #<\/span>
\n      # the amazing sed+ stuff courtesy of http:\/\/stackoverflow.com\/questions\/3675012\/hex-to-dec-con<\/span>
\n      #<\/span>
\n        echo<\/span> $port<\/span> |<\/span> awk<\/span> -F: '{print $2}'<\/span> |<\/span> sed<\/span> 's,\\(..\\)\\(..\\)\\(..\\)\\(..\\),\\4\\3\\2\\1,g'<\/span> |<\/span> (<\/span>read<\/span> hex; echo<\/span> $(<\/span>(<\/span> 0x${hex}<\/span> )<\/span>)<\/span>)<\/span>
\n      fi<\/span>
\n   done<\/span>
\n
\ndone<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

Finally one that looks at a process and tells you what ports its listening to. WPCM450 \/tmp]$ ps |grep ssh  1263 root       4532 S   \/sbin\/sshd -g 60  9730 root       9412 S   sshd: root@pts\/0     10571 root       3556 R   grep ssh [WPCM450 \/tmp]$ […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,154,4,6],"tags":[158,157,334,155,156],"class_list":["post-599","post","type-post","status-publish","format-standard","hentry","category-code","category-ipmi-2","category-security","category-tech","tag-bmc","tag-busybox","tag-hack","tag-lsof","tag-shell"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=599"}],"version-history":[{"count":11,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/599\/revisions"}],"predecessor-version":[{"id":618,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/599\/revisions\/618"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}