Most sysadmins know what Telnet is. Before extra powerful and protected possible choices like Secure Shell (SSH) seemed, Telnet used to be the most typical solution to get admission to far flung programs. The Telnet protocol isn’t encrypted, which is why other folks not use it to supply get admission to to a server. Instead, other folks use it to test whether or not a carrier is listening on a given port, like this: telnet $gadget $port. For instance:

$ telnet raspberrypi 8086
Trying fd22:4e39:e630:1:dea6:32ff:fef9:4748...
Connected to raspberrypi.
Escape personality is '^]'.
  
HTTP/1.1 400 Bad Request
Content-Type: textual content/undeniable; charset=utf-8
Connection: shut

400 Bad RequestConnection closed via overseas host.

Press Ctrl+D to go out the consultation or press a key to drive the server to near the relationship.

This works completely high quality, assuming you might be trying out best one carrier and one port, however what if you wish to have to accomplish computerized assessments on a big aggregate of hosts and ports? I like to let my laptop do the dull stuff for me, particularly when trying out TCP/IP elementary connectivity, like open ports.

In this newsletter, I will be able to display you the right way to carry out the next duties:

• Improve your utilization of Telnet with Expect
• Do the similar with Bash
• Use Netcat instead for TCP port take a look at
• Use Nmap to accomplish extra advanced assessments

The examples I exploit will focal point on TCP connectivity trying out slightly than UDP, which is out of scope for this newsletter.

Know what to anticipate

Expect is an extension of the programming language Tcl, which can be utilized to automate exterior processes. With Expect, you’ll be able to learn the checklist of hosts and ports from a report and use Telnet to test whether or not a TCP port is responding or now not.

Say you’ve gotten the next configuration report:

google.com 80
amazon.com 80
raspberrypi 22,9090,8086,21
dmaf5 22,80

With a bit of of Expect magic, it’s essential to automate the method the use of this script:

#!/usr/bin/env -S be expecting -f
# Poor guy TCP port scanner with Telnet and Expect
# Author: Jose Vicente Nunez <@[email protected]>
if  $argc == 0  
        send_user "Please provide the data file with machine port, one per line!"
        go out 100

set timeout 5
set f [open [lindex $argv 0]]
foreach host [split [read $f] "n"] {
    set pairs [split $host " "];
    set gadget [lindex $pairs 0]
    set ports [lindex $pairs 1]
    foreach port [split $ports ","] 
        log_user 0
        spawn /bin/telnet -e ! $gadget $port
        be expecting 
            log_user 1
            "Connection refused"  catch exp_close; exp_wait; send_user "ERROR: $machine -> $portn" 
            "Escape character is '!'."  send_user "OK: $machine -> $portn"; ship "!r" 
        
    
}
shut $f

Before working the script, be sure you have each Expect and Telnet put in.

$ sudo dnf -y set up be expecting telnet

For instance, your output may appear to be this:

$ ./tcp_port_scan.exp port_scan.csv 
OK: google.com -> 80
OK: amazon.com -> 80
OK: raspberrypi -> 22
OK: raspberrypi -> 9090
OK: raspberrypi -> 8086
ERROR: raspberrypi -> 21
OK: dmaf5 -> 22
ERROR: dmaf5 -> 80

When must you employ this kind of script? Expect is a great choice if you wish to have one thing fast, particularly if you have already got each Expect and Telnet put in on considered one of your machines.

This answer isn’t environment friendly, then again, as a result of you need to fork a telnet consultation for each and every port you wish to have to test. You additionally must account for all of the conceivable responses from the Telnet command, in addition to delicate problems like your timeout being too small (if the port is being filtered, as an example). 

[ Network getting out of control? Check out Network automation for everyone, a complimentary book from Red Hat. ]

You can do it in Bash too

Next, you may make a decision it’s OK to write down a TCP port take a look at in Bash:

#!/bin/bash -e
# Poor guy TCP port scanner with Bash
# Author: Jose Vicente Nunez <@[email protected]>
if [ -n "$1" ] && [ -f "$1" ]; then
  whilst learn -r line; do
    gadget=$(echo "$line"| /bin/lower -d' ' -f1)|| go out 100
    ports=$(echo "$line"| /bin/lower -d' ' -f2)|| go out 101
    OLD_IFS=$OLD_IFS
    IFS=","
    for port in $ports; do
      if  (echo >/dev/tcp/"$machine"/"$port") >/dev/null 2>&1; then
        echo "OK: $machine -> $port"
      else
        echo "ERROR: $machine -> $port"
      fi
    executed
    IFS=$OLD_IFS
  executed < "$1"
else
  echo "ERROR: Invalid or missing data file!"
  go out 103
fi

The natural Bash script works a lot the similar because the Expect model:

$ ./tcp_port_scan.sh port_scan.csv 
OK: google.com -> 80
OK: amazon.com -> 80
OK: raspberrypi -> 22
OK: raspberrypi -> 9090
OK: raspberrypi -> 8086
ERROR: raspberrypi -> 21
OK: dmaf5 -> 22
ERROR: dmaf5 -> 80

It is quicker than the Expect model as it does not require Telnet forking, however error dealing with is sophisticated. It additionally does not deal smartly with filtered ports.

Any different choices?

For instance, what if you wish to take a look at connectivity with a bunch this is at the back of a firewall?

[ Download a Bash shell scripting cheat sheet. ]

Use Netcat

Netcat is some other flexible program that may use proxies to connect with different machines. It additionally has a number of implementations.

For the sake of instance, suppose you wish to have to test whether or not port 22 is open on host raspberrypi.house:

$ nc -z -v -w 5 raspberrypi 22
Ncat: Version 7.93 (  )
Ncat: Connected to fd22:4e39:e630:1:dea6:32ff:fef9:4748:22.
Ncat: 0 bytes despatched, 0 bytes won in 0.06 seconds.

# Trying a closed port like 222
$ nc -z -v -w 5 raspberrypi 222
Ncat: Version 7.93 (  )
Ncat: Connection to fd22:4e39:e630:1:dea6:32ff:fef9:4748 failed: Connection refused.
Ncat: Trying subsequent cope with...
Ncat: Connection refused.

With that during thoughts, you’ll be able to automate scanning a number of hosts the use of a Netcat wrapper:

# Port take a look at with Netcat
# Author: Jose Vicente Nunez <@[email protected]>
if [ -n "$1" ] && [ -f "$1" ]; then
  whilst learn -r line; do
    gadget=$(echo "$line"| /bin/lower -d' ' -f1)|| go out 100
    ports=$(echo "$line"| /bin/lower -d' ' -f2)|| go out 101
    OLD_IFS=$OLD_IFS
    IFS=","
    for port in $ports; do
      if  /usr/bin/nc -z -v -w 5 "$machine" "$port" > /dev/null 2>&1; then
        echo "OK: $machine -> $port"
      else
        echo "ERROR: $machine -> $port"
      fi
    executed
    IFS=$OLD_IFS
  executed < "$1"
else
  echo "ERROR: Invalid or missing data file!"
  go out 103
fi

Why would you employ nc as a substitute of the former script written in Bash? There are a few causes. First, you’ll be able to use a SOCKS (protected socket) proxy to scan servers with -x. For instance, get started a SOCKS proxy like this on port 2080:

josevnz@raspberrypi:~$ ssh -f -g -D 2080 -C -q -N [email protected]

Then get admission to the servers at the back of your firewall during the proxy like this:

$ nc --proxy 192.168.1.27:2080 --proxy-type socks5 -z -v -w 5 redhat.com 80
Ncat: Version 7.93 (  )
Ncat: Connected to proxy 192.168.1.27:2080
Ncat: No authentication wanted.
Ncat: Host redhat.com can be resolved via the proxy.
Ncat: connection succeeded.
Ncat: 0 bytes despatched, 0 bytes won in 0.12 seconds.

You too can use Netcat to begin a server that can assist you take a look at elementary connectivity in the event you do not have a server at hand.

On the receiving facet, get started a server:

josevnz@raspberrypi:~$ nc -l 2080

Then at the consumer, input:

$ nc --verbose 192.168.1.27 2080
Ncat: Version 7.93 (  )
Ncat: Connected to 192.168.1.27:2080.
Hello
Hi

Now you’ll be able to write and obtain messages on either side, like a bidirectional chat. There are different options and use circumstances for nc; learn the documentation to be informed extra.

Try Nmap, the multitool of community gear

Netcat is at hand for TCP connectivity trying out, however in terms of a command-line software with a formidable array of choices, you can’t beat Nmap. Nmap provides the next grade of automation than Netcat. For instance, you’ll be able to supply an information report in a layout that Nmap understands, like this:

google.com
amazon.com
raspberrypi.house
dmaf5.house

Then you’ll be able to use Nmap to test a lot of these hosts for simply ports 80 and 443:

$ nmap -iL port_scan_nmap.csv -p80,443
Starting Nmap 7.93 (  ) at 2023-03-19 20:18 EDT
Nmap scan file for google.com (142.250.72.110)
Host is up (0.014s latency).
Other addresses for google.com (now not scanned): 2607:f8b0:4006:81c::200e
rDNS file for 142.250.72.110: lga34s32-in-f14.1e100.internet

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan file for amazon.com (54.239.28.85)
Host is up (0.019s latency).
Other addresses for amazon.com (now not scanned): 52.94.236.248 205.251.242.103

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap scan file for raspberrypi.house (192.168.1.27)
Host is up (0.00062s latency).
Other addresses for raspberrypi.house (now not scanned): fd22:4e39:e630:1:dea6:32ff:fef9:4748

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap scan file for dmaf5.house (192.168.1.30)
Host is up (0.00041s latency).
Other addresses for dmaf5.house (now not scanned): fd22:4e39:e630:1:67b8:6c9e:14f0:5d6c fd22:4e39:e630:1:dd80:f446:ff6c:aa4a 192.168.1.31

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

This will give you extra freedom with the IP cope with or community levels, however now not a lot selection if you wish to use other port mixtures. To maintain this, both iterate to each and every gadget and port aggregate from an exterior script after which name Nmap, or let Nmap additionally take a look at the ones nonexisting ports after which analyze the consequences:

$ nmap -iL port_scan_nmap.csv -p80,22,9090,8086,21 --open 
    -oG -| /bin/rg -v -e 'Status: Up|^#'
Host: 142.250.72.110 (lga34s32-in-f14.1e100.internet)    Ports: 80/open/tcp//http/// Ignored State: filtered (4)
Host: 205.251.242.103 (s3-console-us-standard.console.aws.amazon.com)   Ports: 80/open/tcp//http/// Ignored State: closed (4)
Host: 192.168.1.27 (raspberrypi.house)   Ports: 22/open/tcp//ssh///, 8086/open/tcp//d-s-n///, 9090/open/tcp//zeus-admin///   Ignored State: closed (2)
Host: 192.168.1.30 (dmaf5.house) Ports: 22/open/tcp//ssh///  Ignored State: closed (4)

Nmap can use SOCKS5 proxies, however now not in the way in which you may assume. Nmap distribution additionally comes with its personal model of Netcat known as ncat. Which one you need to use relies on your use case. I typically paintings with whichever model is put in.

When an open TCP socket take a look at isn’t sufficient

Just checking whether or not a TCP port is open is not going to point out whether or not a carrier is wholesome. The server is also accepting connections, but there might be extra delicate issues. For instance, you’ll be able to take a look at to look if a internet server TLS works and if the virtual certificate glance right kind:

$ sudo dnf set up -y openssl.x86_64

$ openssl s_client -tls1_2 -connect solomon.stupidzombie.com:443
CONNECTED(00000003)
intensity=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
examine go back:1
intensity=1 C = US, O = Let's Encrypt, CN = R3
examine go back:1
intensity=0 CN = solomon.stupidzombie.com
examine error:num=10:certificates has expired
notAfter=Mar 11 14:38:06 2023 GMT
examine go back:1
intensity=0 CN = solomon.stupidzombie.com
notAfter=Mar 11 14:38:06 2023 GMT
examine go back:1
---
...

In the instance above, the socket connection labored, however the SSL certificates has expired.

Here is otherwise to check the similar internet server:

$ curl --fail --verbose 
*   Trying 132.145.176.191:443...
* Connected to solomon.stupidzombie.com (132.145.176.191) port 443 (#0)
* ALPN: provides h2
* ALPN: provides http/1.1
*  CAfile: /and so forth/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hi (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hi (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental knowledge (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental knowledge (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, certificates expired (557):
* SSL certificates drawback: certificates has expired
* Closing connection 0
curl: (60) SSL certificates drawback: certificates has expired
More main points right here: 

curl failed to make sure the legitimacy of the server and due to this fact may now not
identify a protected connection to it. To be told extra about this case and
the right way to repair it, please talk over with the internet web page discussed above.

This time, curl signifies that the certificates expired. The internet server is operating as anticipated, however there’s a drawback with the virtual certificate.

Not each and every HTTP software be examined the similar approach, then again. Take a have a look at how Grafana can let you know whether it is ok or now not:

$ curl --fail --silent 
     && 
    printf "nLook, I'm OKn"

  "commit": "21c1d14e91",
  "database": "ok",
  "version": "9.3.2"

Look, I'm OK

Or an InfluxDB database:

$ curl --fail  && 
    printf "Look, I'm OK"
Look, I'm OK

Here is a pleasing wonder for you: Nmap too can name scripts to accomplish high-level assessments on programs like internet servers. The instance beneath makes use of http-fetch to fetch information from servers right through the take a look at:

$ nmap -p443 -PS443 --open --script http-fetch 
    --script-args 
    'maxpagecount=1,vacation spot=/tmp/information' 
    solomon.stupidzombie.com
Starting Nmap 7.93 (  ) at 2023-03-29 20:48 EDT
Nmap scan file for solomon.stupidzombie.com (132.145.176.191)
Host is up (0.023s latency).

PORT    STATE SERVICE
443/tcp open  https
|_http-fetch: Successfully Downloaded Everything At: /tmp/information/132.145.176.191/443/

Nmap executed: 1 IP cope with (1 host up) scanned in 0.62 seconds

$ in finding /tmp/information/132.145.176.191/443/
/tmp/information/132.145.176.191/443/
/tmp/information/132.145.176.191/443/index.html

What a couple of MySQL database or IMAP server? As you’ll be able to see, there are lots of tactics to take on this drawback.

What to be informed subsequent

• Expect is an extension of Tcl, so take a look at an academic to get conversant in what the language can do.
• Bash may also be used to do UDP assessments. This very good information can display you the way to do this and a lot more.
• Netcat and Nmap are robust gear that deserve time to be studied. You is also shocked via the selection of issues they are able to do for you but even so elementary TCP port assessments.
• Nmap may also be prolonged with Lua scripts to accomplish extra advanced assessments.
• In the case of Nmap, you’ll be able to even use scripts to check on the protocol point, now not simply opening the port.
• A Telnet consumer is probably not put in for your Linux distribution anymore, because the server is thought of as insecure, so studying different gear is a good suggestion.

You too can use programming languages to accomplish connectivity assessments, which lets you cope with extra advanced eventualities. In my subsequent article, I’ll display you the right way to use Python and Scapy to accomplish advanced packet manipulations.

[ Cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]