Check What's Running on a Port (Linux)
Commands
1. netstat bash
netstat -tlnp | grep :1337 # TCP listening ports + PID/program
netstat -tunlp # All TCP/UDP listening ports
3. lsof
bash
lsof -i :1337 # What's using port 1337
lsof -i TCP:1337 # Specific TCP port
lsof -nP -iTCP -sTCP:LISTEN # All listening TCP
4. fuser
bash
5. Get process details
bash
# After finding PID (e.g., 1234)
ps aux | grep 1234
cat /proc/1234/cmdline # Full command line
cat /proc/1234/exe # Binary path (symlink)
ls -la /proc/1234/ # All process info
Files Where Data is Stored
/proc/net/tcp (Active TCP connections)
bash
- Format:
local_address:portin hex - Example:
0100007F:0539=127.0.0.1:1337(0x0539 = 1337)
Decode:
bash
# Port 1337 = 0x539
printf "%d\n" 0x539
# IP in hex (little-endian)
# 0100007F = 7F.00.00.01 = 127.0.0.1
/proc/net/tcp6 (IPv6)
bash
/proc/PID/ (Per-process info)
bash
/proc/1234/cmdline # Command + arguments
/proc/1234/exe # Executable path (symlink)
/proc/1234/cwd # Working directory
/proc/1234/environ # Environment variables
/proc/1234/fd/ # Open file descriptors
/proc/1234/net/tcp # Process network connections
LFI Exploitation Example
If you have LFI, read these:
bash
# Find listening ports
?file=/proc/net/tcp
# Find process details (if you know PID)
?file=/proc/1234/cmdline
?file=/proc/1234/environ
?file=/proc/self/cmdline # Current process
```
**Parse `/proc/net/tcp`:**
```
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 0100007F:0539 00000000:0000 0A 00000000:00000000 00:00000000 00000000 1000 0 12345
0100007F:0539=127.0.0.1:13370A= LISTEN stateuid 1000= user ID running the process
Find PID from inode:
bash
Quick Reference
| What You Need | Command |
|---|---|
| Process on specific port | lsof -i :1337 |
| All listening ports | ss -tlnp |
| Process executable | ls -la /proc/PID/exe |
| Process command | cat /proc/PID/cmdline |
| Via LFI | ?file=/proc/net/tcp |