π Day 37 β Ports, Services, and Investigating Listening Processes
π― Goal
Understand how network services actually run on a system by:
- learning common ports
- identifying listening services
- mapping ports to processes
- investigating suspicious listeners
The focus today was learning through hands-on experiments, not just theory.
π What I Did
Studied Common Network Ports
I created a reference table for common ports used by important services.
| Port | Protocol | Service | Real-world usage |
|---|---|---|---|
| 22 | TCP | SSH | Remote login and server administration |
| 80 | TCP | HTTP | Standard web traffic |
| 443 | TCP | HTTPS | Encrypted web traffic |
| 53 | UDP/TCP | DNS | Domain name resolution |
| 25 | TCP | SMTP | Sending email between mail servers |
| 3389 | TCP | RDP | Remote Windows desktop access |
These ports are known as well-known ports and are widely used by standard services.
Created a Real Web Server
To understand how services work in practice, I started a simple HTTP server:
python3 -m http.server 8000
This created a web server listening on port 8000.
Using a browser, I could access:
http://localhost:8000
This demonstrated how applications open network ports to serve requests.
Identified Listening Services
I used the command:
ss -tulnp
to view active network services.
This revealed several listening ports:
| Port | Service |
|---|---|
| 22 | SSH server |
| 53 | Local DNS resolver |
| 631 | CUPS printing service |
| 8000 | Python HTTP server |
This showed how services expose themselves through open listening ports.
Investigated Network Exposure
I learned the difference between two important binding addresses:
127.0.0.1
- local-only
- only the machine itself can connect
0.0.0.0
- all network interfaces
- any reachable machine could connect
This distinction is critical when evaluating the attack surface of a system.
Simulated a Suspicious Listener
To simulate attacker behavior, I created a listener using netcat:
nc -lvnp 4444
This opened port 4444, which appeared in ss output as:
0.0.0.0:4444 users:(("nc",pid=...))
This resembles how reverse shells or backdoors often appear during incident investigations.
Investigated the Process
I identified the responsible process:
ps -p <PID> -o pid,ppid,user,command
This showed:
- the process (
nc) - the user who launched it
- the parent process (my shell)
This allowed me to reconstruct the process chain.
Contained the Listener
I simulated incident response containment by terminating the process:
kill <PID>
Then verified the port was closed:
ss -tulnp | grep 4444
No output confirmed the listener was gone.
π Key Cybersecurity Connections
This exercise demonstrated how analysts investigate suspicious services.
Typical workflow:
- Identify open ports (
ss) - Map port β process
- Trace parent process
- Determine origin
- Contain if necessary
- Verify removal
These steps are part of incident response and threat investigation.
β οΈ Challenges
At times the commands and outputs felt overwhelming.
However, running real services and investigating them directly made the concepts much clearer than simply reading about them.
Hands-on experimentation helped connect theory to real system behavior.
π What I Learned
- Network services expose functionality through ports.
- Tools like
ssreveal which programs are listening on those ports. - Ports can be bound either locally (
127.0.0.1) or globally (0.0.0.0). - Suspicious listeners can often be traced back to their originating process.
- Containment involves stopping the process and verifying the service disappears.
β‘οΈ Next Steps
Next I want to deepen my ability to:
- analyze logs for authentication activity
- detect suspicious processes automatically
- investigate network connections instead of just listening services
More realistic investigation scenarios will help build stronger analyst intuition.
πͺ Reflection
Todayβs learning was much more engaging because it involved creating and investigating real services.
Instead of just reading about networking concepts, I could see exactly how processes open ports and interact with the system.
Hands-on experimentation clearly improves understanding and retention.
𧩠Lessons Learned
What worked
Running experiments directly on the system.
What broke
Trying to remember commands without understanding their purpose.
Why it broke
Memorization alone is not effective without context.
Fix / takeaway
Focus on understanding system behavior and using tools to investigate it.
π§ Skill Progression Context
Today strengthened core skills used in security operations:
- identifying network services
- mapping ports to processes
- tracing process origins
- performing basic containment
These abilities form the foundation of host investigation and incident response in cybersecurity.