T6181: make tools for scaning ports #3940
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkorobeinikov
requested review from
dmbaturin,
sarthurdev,
zdc,
jestabro,
c-po and
nicolas-fort
|
👍 |
show ports local <--- show opened ports on a local host show ports <HOST_IP> <--- show opened ports and services on a remote host (scan popular ports) show ports all <HOST_IP> <--- show opened ports and services on a remote host (scan all ports 1-65535)
mkorobeinikov
changed the title
dmbaturin
requested changes
Aug 7, 2024
There was a problem hiding this comment.
I have nothing against a CLI for nmap but here both the CLI design and the implementation have multiple issues that we need to address before merging.
Malicious use isn't really a concern since all logged in users have access to everything now, nmap is already in the image, and when we have the op mode daemon, we can restrict this command to admins only.
My biggest concern is where this should really go. I don't think show is a good place. We should probably think about a generic op mode word for such commands, like perform.
| <children> | ||
| <node name="local"> | ||
| <properties> | ||
| <help>show opened ports on a local host</help> |
There was a problem hiding this comment.
I don't see how this shortcut is useful. Anyone who needs port scanning also knows what 127.0.0.1 and ::1 or localhost are and they aren't long to type. More on this later.
Besides, netstat or ss is a better way to show open ports on the local machine anyway, so this use case is rare and doesn't benefit from a shortcut.
There was a problem hiding this comment.
We already have show system connections
vyos@r4:~$ show system connections
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.122.14:53 0.0.0.0:* LISTEN
tcp 0 0 100.64.0.14:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2623 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2617 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2616 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2612 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2609 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2608 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2605 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2604 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2601 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2602 0.0.0.0:* LISTEN
tcp 0 0 203.0.113.1:1194 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2002 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.122.14:22 192.168.122.1:55144 ESTABLISHED
tcp6 0 0 :::10050 :::* LISTEN
tcp6 0 0 ::1:2603 :::* LISTEN
tcp6 0 0 ::1:2606 :::* LISTEN
tcp6 0 0 ::1:2622 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:4784 0.0.0.0:*
udp 0 0 0.0.0.0:4784 0.0.0.0:*
udp 0 0 192.168.122.14:53 0.0.0.0:*
udp 0 0 100.64.0.14:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 0.0.0.0:3784 0.0.0.0:*
udp 0 0 0.0.0.0:3784 0.0.0.0:*
udp6 0 0 :::4784 :::*
udp6 0 0 :::4784 :::*
udp6 0 0 ::1:323 :::*
udp6 0 0 :::3784 :::*
udp6 0 0 :::3784 :::*
udp6 0 0 :::3785 :::*
udp6 0 0 :::3785 :::*
raw 0 0 0.0.0.0:255 0.0.0.0:* 7
raw6 0 0 :::103 :::* 7
raw6 0 0 :::103 :::* 7
raw6 0 0 :::58 :::* 7
raw6 0 0 :::58 :::* 7
raw6 10752 0 :::58 :::* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 3433 /var/run/frr/babeld.vty
unix 2 [ ] DGRAM CONNECTED 10282
unix 2 [ ] DGRAM CONNECTED 4783
unix 3 [ ] STREAM CONNECTED 17859 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 15252
unix 3 [ ] STREAM CONNECTED 6775
unix 3 [ ] STREAM CONNECTED 7965
unix 3 [ ] STREAM CONNECTED 3303
unix 3 [ ] STREAM CONNECTED 5411 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 20847 /run/user/1003/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 20850 /run/user/1003/systemd/private
unix 3 [ ] STREAM CONNECTED 4980
unix 2 [ ] DGRAM CONNECTED 10267
unix 3 [ ] STREAM CONNECTED 15247
unix 3 [ ] STREAM CONNECTED 2735 /var/run/frr/staticd.vty
unix 2 [ ACC ] STREAM LISTENING 21536 /run/openvpn/openvpn-mgmt-intf
unix 2 [ ] DGRAM CONNECTED 6302
unix 3 [ ] STREAM CONNECTED 526 /var/run/frr/mgmtd_be.sock
unix 2 [ ] DGRAM CONNECTED 3396
unix 3 [ ] STREAM CONNECTED 15250
unix 3 [ ] STREAM CONNECTED 496 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 6551 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 7960
unix 2 [ ACC ] STREAM LISTENING 2443 /run/acpid.socket
unix 3 [ ] STREAM CONNECTED 6561
unix 3 [ ] STREAM CONNECTED 506
unix 2 [ ACC ] STREAM LISTENING 2445 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 2447 /run/uuidd/request
unix 2 [ ] DGRAM CONNECTED 20820
unix 3 [ ] STREAM CONNECTED 15253
unix 2 [ ] DGRAM CONNECTED 20607
unix 2 [ ] DGRAM CONNECTED 4839
unix 3 [ ] DGRAM CONNECTED 7939
unix 3 [ ] STREAM CONNECTED 10364
unix 3 [ ] STREAM CONNECTED 3427
unix 3 [ ] STREAM CONNECTED 15248
unix 3 [ ] STREAM CONNECTED 6768
unix 3 [ ] STREAM CONNECTED 6558
unix 3 [ ] STREAM CONNECTED 5416 /run/systemd/journal/stdout
unix 2 [ ] DGRAM CONNECTED 519
unix 3 [ ] STREAM CONNECTED 20852
unix 3 [ ] STREAM CONNECTED 6771
unix 2 [ ] DGRAM CONNECTED 10315
unix 3 [ ] STREAM CONNECTED 6556
unix 3 [ ] STREAM CONNECTED 9837 /var/run/frr/pim6d.vty
unix 2 [ ACC ] STREAM LISTENING 504 /var/run/frr/watchfrr.vty
unix 3 [ ] STREAM CONNECTED 4977
unix 2 [ ] DGRAM CONNECTED 3413
unix 3 [ ] STREAM CONNECTED 15245
unix 3 [ ] STREAM CONNECTED 17139
unix 2 [ ] DGRAM CONNECTED 10304
unix 2 [ ACC ] STREAM LISTENING 6517 /var/run/frr/zserv.api
unix 2 [ ACC ] STREAM LISTENING 6519 /var/run/frr/zebra.vty
unix 2 [ ACC ] STREAM LISTENING 3418 /var/run/frr/mgmtd_fe.sock
unix 3 [ ] STREAM CONNECTED 4802 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 18914 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 3419 /var/run/frr/mgmtd_be.sock
unix 2 [ ] DGRAM 20615 /run/chrony/chronyd.sock
unix 2 [ ACC ] STREAM LISTENING 509 /var/run/frr/mgmtd.vty
unix 2 [ ] DGRAM CONNECTED 1442
unix 2 [ ] DGRAM CONNECTED 23110
unix 2 [ ACC ] STREAM LISTENING 2723 /var/run/frr/bgpd.vty
unix 3 [ ] STREAM CONNECTED 6555
unix 3 [ ] STREAM CONNECTED 6544
unix 3 [ ] STREAM CONNECTED 2731 /var/run/frr/ripd.vty
unix 3 [ ] STREAM CONNECTED 6536 /var/run/frr/zserv.api
unix 2 [ ACC ] STREAM LISTENING 6532 /var/run/frr/ripd.vty
unix 3 [ ] STREAM CONNECTED 6776
unix 3 [ ] DGRAM CONNECTED 10275
unix 2 [ ] DGRAM CONNECTED 3247
unix 2 [ ACC ] STREAM LISTENING 4976 /var/run/frr/ripngd.vty
unix 3 [ ] STREAM CONNECTED 4709 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 512 /var/run/frr/ospfd.vty
unix 2 [ ACC ] STREAM LISTENING 2727 /var/run/frr/ospf6d.vty
unix 2 [ ] DGRAM CONNECTED 21719
unix 2 [ ACC ] STREAM LISTENING 6543 /var/run/frr/isisd.vty
unix 2 [ ] DGRAM CONNECTED 4838
unix 3 [ ] STREAM CONNECTED 24622 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 4979 /var/run/frr/babeld.vty
unix 3 [ ] STREAM CONNECTED 3225
unix 2 [ ACC ] STREAM LISTENING 3425 /var/run/frr/pim6d.vty
unix 3 [ ] STREAM CONNECTED 6557
unix 3 [ ] STREAM CONNECTED 6303
unix 3 [ ] DGRAM CONNECTED 4558 /run/systemd/notify
unix 2 [ ] DGRAM CONNECTED 10293
unix 2 [ ACC ] STREAM LISTENING 4561 /run/systemd/private
unix 3 [ ] DGRAM CONNECTED 20849
unix 3 [ ] STREAM CONNECTED 15244
unix 3 [ ] STREAM CONNECTED 3434 /var/run/frr/bfdd.vty
unix 2 [ ACC ] STREAM LISTENING 10366 /var/run/frr/ldpd.vty
unix 2 [ ACC ] STREAM LISTENING 525 /var/run/frr/ldpd.sock
unix 2 [ ACC ] STREAM LISTENING 4563 /run/systemd/userdb/io.systemd.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 4564 /run/systemd/io.system.ManagedOOM
unix 3 [ ] STREAM CONNECTED 18957 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 1588 /var/run/frr/staticd.vty
unix 2 [ ACC ] STREAM LISTENING 6590 /var/run/frr/bfdd.sock
unix 3 [ ] STREAM CONNECTED 314
unix 2 [ ] DGRAM 4579 /run/systemd/journal/syslog
unix 2 [ ACC ] STREAM LISTENING 4991 /var/run/frr/bfdd.vty
unix 37 [ ] DGRAM CONNECTED 4580 /run/systemd/journal/dev-log
unix 3 [ ] STREAM CONNECTED 6529 /var/run/frr/zserv.api
unix 6 [ ] DGRAM CONNECTED 4582 /run/systemd/journal/socket
unix 3 [ ] STREAM CONNECTED 2724
unix 2 [ ACC ] STREAM LISTENING 4584 /run/systemd/journal/stdout
unix 2 [ ACC ] SEQPACKET LISTENING 4586 /run/udev/control
unix 3 [ ] STREAM CONNECTED 6560
unix 3 [ ] STREAM CONNECTED 23134
unix 3 [ ] STREAM CONNECTED 3435
unix 3 [ ] STREAM CONNECTED 15254
unix 3 [ ] STREAM CONNECTED 15249
unix 3 [ ] STREAM CONNECTED 3432 /var/run/frr/ospf6d.vty
unix 3 [ ] DGRAM CONNECTED 7938
unix 3 [ ] DGRAM CONNECTED 7885
unix 3 [ ] DGRAM CONNECTED 4559
unix 2 [ ACC ] STREAM LISTENING 18101 /run/pdns-recursor/pdns_recursor.controlsocket
unix 3 [ ] STREAM CONNECTED 10367
unix 3 [ ] STREAM CONNECTED 6538 /var/run/frr/zserv.api
unix 2 [ ] DGRAM CONNECTED 10906
unix 3 [ ] STREAM CONNECTED 6545 /var/run/frr/zserv.api
unix 2 [ ACC ] STREAM LISTENING 1355 /run/systemd/journal/io.systemd.journal
unix 2 [ ] DGRAM CONNECTED 6588
unix 2 [ ] DGRAM CONNECTED 1357
unix 2 [ ACC ] STREAM LISTENING 1491 /run/vyos-hostsd/vyos-hostsd.sock
unix 3 [ ] STREAM CONNECTED 5445 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 6777
unix 3 [ ] DGRAM CONNECTED 10274
unix 3 [ ] STREAM CONNECTED 15251
unix 3 [ ] STREAM CONNECTED 10373 /var/run/frr/zebra.vty
unix 3 [ ] STREAM CONNECTED 18143
unix 3 [ ] STREAM CONNECTED 3426
unix 2 [ ACC ] STREAM LISTENING 4840 /run/vyos-configd.sock
unix 2 [ ] DGRAM CONNECTED 4784
unix 3 [ ] STREAM CONNECTED 15228 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 6774
unix 2 [ ] DGRAM CONNECTED 10251
unix 3 [ ] STREAM CONNECTED 18144
unix 3 [ ] STREAM CONNECTED 3228
unix 3 [ ] STREAM CONNECTED 15242
unix 2 [ ] DGRAM CONNECTED 20718
unix 3 [ ] STREAM CONNECTED 2734 /var/run/frr/ldpd.vty
unix 2 [ ] DGRAM CONNECTED 4833
unix 3 [ ] STREAM CONNECTED 9747
unix 3 [ ] STREAM CONNECTED 6554
unix 3 [ ] STREAM CONNECTED 6767
unix 3 [ ] STREAM CONNECTED 6547 /var/run/frr/zserv.api
unix 2 [ ] DGRAM CONNECTED 10326
unix 3 [ ] STREAM CONNECTED 15255
unix 3 [ ] STREAM CONNECTED 6527 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 4801 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 4984 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 1410 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 18145 /run/api.sock
unix 2 [ ] DGRAM CONNECTED 4803
unix 3 [ ] STREAM CONNECTED 530 /var/run/frr/mgmtd.vty
unix 3 [ ] STREAM CONNECTED 2728
unix 3 [ ] STREAM CONNECTED 7871
unix 2 [ ] DGRAM CONNECTED 6566
unix 3 [ ] SEQPACKET CONNECTED 20616
unix 3 [ ] STREAM CONNECTED 4968
unix 3 [ ] STREAM CONNECTED 6772
unix 3 [ ] STREAM CONNECTED 6333
unix 3 [ ] STREAM CONNECTED 21710
unix 3 [ ] STREAM CONNECTED 20810
unix 2 [ ] DGRAM CONNECTED 20830
unix 2 [ ] DGRAM CONNECTED 18092
unix 3 [ ] STREAM CONNECTED 6773
unix 3 [ ] STREAM CONNECTED 4992
unix 3 [ ] STREAM CONNECTED 6534 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 5412
unix 3 [ ] STREAM CONNECTED 7969 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 18081
unix 3 [ ] STREAM CONNECTED 3306
unix 3 [ ] STREAM CONNECTED 10363
unix 3 [ ] STREAM CONNECTED 6559
unix 3 [ ] STREAM CONNECTED 15246
unix 3 [ ] STREAM CONNECTED 2733 /var/run/frr/isisd.vty
unix 3 [ ] STREAM CONNECTED 513
unix 2 [ ] DGRAM CONNECTED 21534
unix 3 [ ] STREAM CONNECTED 4988 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 21529
unix 3 [ ] STREAM CONNECTED 4798
unix 3 [ ] STREAM CONNECTED 5448 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 23135
unix 3 [ ] STREAM CONNECTED 7991 /run/systemd/journal/stdout
unix 3 [ ] SEQPACKET CONNECTED 20617
unix 3 [ ] STREAM CONNECTED 4986 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 6533
unix 3 [ ] STREAM CONNECTED 2732 /var/run/frr/ospfd.vty
unix 3 [ ] STREAM CONNECTED 6769
unix 2 [ ] DGRAM CONNECTED 4834
unix 3 [ ] DGRAM CONNECTED 7884
unix 2 [ ] DGRAM CONNECTED 10345
unix 2 [ ACC ] STREAM LISTENING 20744 /run/zabbix/agent.sock
unix 3 [ ] STREAM CONNECTED 222
unix 3 [ ] STREAM CONNECTED 1589
unix 3 [ ] STREAM CONNECTED 22674 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 6549 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 2725
unix 2 [ ] STREAM CONNECTED 23099
unix 2 [ ] DGRAM CONNECTED 9741
unix 2 [ ] DGRAM CONNECTED 6577
unix 3 [ ] STREAM CONNECTED 6304
unix 3 [ ] STREAM CONNECTED 6766
unix 2 [ ] DGRAM CONNECTED 7880
unix 2 [ ] DGRAM CONNECTED 4667
unix 3 [ ] DGRAM CONNECTED 20848
unix 3 [ ] STREAM CONNECTED 4999 /var/run/frr/ripngd.vty
unix 3 [ ] STREAM CONNECTED 4808 /run/systemd/journal/stdout
unix 2 [ ] DGRAM CONNECTED 17833
unix 2 [ ] DGRAM CONNECTED 21720
unix 3 [ ] STREAM CONNECTED 507
unix 2 [ ] DGRAM CONNECTED 10337
unix 3 [ ] STREAM CONNECTED 6540 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 4809 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 1590
unix 3 [ ] STREAM CONNECTED 22701
unix 3 [ ] STREAM CONNECTED 13286 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 15256
unix 3 [ ] STREAM CONNECTED 15243
unix 3 [ ] STREAM CONNECTED 3431 /var/run/frr/bgpd.vty
unix 3 [ ] STREAM CONNECTED 4993 /var/run/frr/zserv.api
unix 3 [ ] STREAM CONNECTED 6765
unix 3 [ ] STREAM CONNECTED 3436 /var/run/frr/zserv.api
unix 3 [ ] DGRAM CONNECTED 4560
unix 3 [ ] STREAM CONNECTED 22743
unix 3 [ ] STREAM CONNECTED 15215 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 3258
unix 3 [ ] STREAM CONNECTED 4799
unix 2 [ ] DGRAM 17831 /var/lib/haproxy/dev/log
unix 3 [ ] STREAM CONNECTED 6770
unix 3 [ ] STREAM CONNECTED 15241
There was a problem hiding this comment.
Yes, my point exactly. If there are reason to nmap localhost, they must be to specific and rare that a shortcut isn't useful
| @@ -0,0 +1,20 @@ | |||
| <?xml version="1.0"?> | |||
There was a problem hiding this comment.
I see no reason to split these commands in three different files. The usual reason why we split them is either that commands are unrelated or that a file is reusable. These commands are closely related and these files are not reusable.
| @@ -0,0 +1,37 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
I can't see why this script is needed. Python startup time is notoriously slow, and this script only takes one argument that could easily be appended to the base command. It doesn't provide machine-friendly op mode either (we don't have a generic "perform" or "initiate" op mode word yet).
We need to either figure out a way to make this machine-friendly and use Python or just use a shell command for the time being (I'd prefer the former).
| @@ -0,0 +1,28 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
Why use two different script files if the logic is the same, just some arguments are different?
|
|
||
| def scan_popular_ports(host): | ||
| # List of popular ports to scan | ||
| popular_ports = [ |
There was a problem hiding this comment.
Popular according to whom? I see no reason to have a special case for this. 21 (FTP) and 23 (telnet) are quite rare now, but it's beside the point. People who want specific ports can specify a list in the command argument.
c-po
changed the title
|
Guys, thanks for the comments. I'm working on fixing the code and design. |
|
Note: we do have |
|
This PR has implementation issues and it's abandoned by the author now. @natali-rs1985 will work on a new implementation, in the new |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make tools for scaning ports
show ports local <--- show opened ports on a local host
show ports <HOST_IP> <--- show opened ports and services on a remote host (scan popular ports)
show ports all <HOST_IP> <--- show opened ports and services on a remote host (scan all ports 1-65535)
for latest version 1.5
Change Summary
Types of changes
Related Task(s)
https://vyos.dev/T6181
Related PR(s)
Component(s) name
Proposed changes
How to test
To check, needs to execute the command and get the result.
show ports local <--- show opened ports on a local host
show ports <HOST_IP> <--- show opened ports and services on a remote host (scan popular ports)
show ports all <HOST_IP> <--- show opened ports and services on a remote host (scan all ports 1-65535)
Smoketest result
Checklist: