How To Inspect Your Local Network

A practical guide with examples

Ines Panker
Oct 1, 2019 · 12 min read

I must concede, spying on a network (and everything and everybody on it) is just candid fun. Imagine, silently typing on your keyboard, exploring a network, examining what things are there and what they are up to. How would this not be equally intriguing as reading a mystery novel?

Photo by Artur Rutkowski on Unsplash

But do you know how to scan your local network How to find its vulnerabilities?

So few of us know how to do this. How do you get a list of every open port on your computer? Or of every connection to the WiFi? This topic is often discussed on a theoretical level, but very rarely with a practical approach. That is why all talks on cybersecurity and hacking are always full to the last seat. We want to know about this, we want to learn. And yes, we absolutely do want to spy on everybody 😎

The following guide describes how to inspect your network in Linux.

We will start with ourselves

First, we have to figure out where we are, do we have a network connection? How many do we have?

To get a list of currently active network connections, we will use the very convenient command. has been replacing the command since tools became available.

will show us everything that has an IP address, a MAC address or is pretending to have one (i.e. — Virtual Ethernet Device).

To make the output more readable, we’ll add (=use colour). For ease of use, I suggest adding the alias to your environment.

How to read the above? Immediately, you can see 4 sections: , , and .

stands for localhost (archaically called loopback).

Most of you probably already know, but let’s state it clearly nevertheless: this address is used for internal testing of network services. It is implemented entirely within your computer and is not accessible from the outside (from other computers, devices, the internet).

From the 3rd line of its description (), we can see that its IP address , just as expected.

stands for wireless LAN, this is our wireless connection to our immediate network. In the 3rd line () we can see that its IP address is .

is an interesting address, it is the public IP address of our computer. Other devices on our network see our computer as the host . But because the IP starts with we also know that this is a private network, our computer is not accessible from the internet.

Which IPs are private again and which public? The IETF’s standard (document RFC-1918) explains that IP addresses - are reserved for the private IP space and cannot be routable on the global internet. (Together with a few addresses in the and blocks)

appears only if you have a wireless interface or adapter. If your connection to a network is via a cable, then you are looking for a connection called .

If there are several wired or wireless interfaces available, all will be listed.

In the line of each section we can see the various MAC addresses of each device.

To see only the list of MAC addresses, run .

What role do Docker containers play?

Did you know or, better, did you pay attention, to the detail that every Docker install comes with a bridge network?

This is what the above is referencing.

As long as no containers are running, the bridge ’s status is .

What happens if I now start a few Docker containers and run again?

I get a section for every container. s are virtual ethernet connections. They always come in pairs, one is created in the localhost namespace, and the other in the namespace of the container’s network.

What are we showing?

The next step in our “Practical guide with examples” is to figure out what services we are exposing to others on this network. We will use .

is a great tool for network exploration and security auditing. It is also open-source and very straightforward to use.

researches which hosts are available on the network, what services those hosts offer, what OS they are running, what type of packet filtering/firewalls are in use, …

BE CAREFUL! Scanning random servers can get you in trouble!

From the above, we learned that our computer has 2 IP addresses, the localhost and the network address . Both of these represent our computer. Everything on localhost is visible only from our computer and everything on is visible to every device on this network.

The good news is that these 2 IPs do not overlap by default. What is accessible on is not by default accessible on . We have to put in extra effort to make something from our localhost visible to the network. But the bad news is that sometimes we are running services, which by default ARE visible to everybody on our network. 😨 And let us be honest, 99.99% of us are not sure which services these are.

Thus, let's ask the computer which ports are open.

What is hooked to localhost?

is truly simple to use. It does have lots of settings, but for starters (because we are scanning localhost and not spamming a random server) it is enough if we just give it an IP address.

Just short note, scanning TCP ports ( ) is much faster than scanning UTP ports, and checking the status of just 1 port ( ) is vastly faster than scanning all ports.

Because ..localhost, we’ll scan everything:

$ nmap 127.0.0.1Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
1010/tcp open surf
1111/tcp open lmsocialserver
1500/tcp open vlsi-lm
3306/tcp open mysql
5432/tcp open postgres
4000/tcp open remoteanything

Ok, how does one read this? Is this list too long, too short, just right? It is localhost, after all, it is not accessible to others.

Localhost or not, the rule with ports is very simple:

Keep all ports closed, except the ones you are using.

I went through the above list and instantly understood all but the first 3 ports:

To learn more about these 3 ports, we can use to enable OS detection, version detections, script scanning and traceroute and we can limit the scan to only 1 port with .

$ nmap 127.0.0.1 -A -p 139Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000089s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba 4.10-Ubuntu (workgroup: ABCD)
Service Info: Host: MON
Host script results:
|_nbstat: NetBIOS name: MON, ....
| smb-os-discovery:
| OS: Windows ......
|_ System time: ....
| smb-security-mode:
| account_used: ...
| authentication_level: ...
|_ message_signing: ....
------------------snip------------------------------------

This is one way of figuring out more about these ports, a far more efficient way is to google them all 😄.

After googling the other 3, I discovered that:

  • 631 is used to communicate with the printer. This makes sense since there is a printer right next to me 😌.
  • 445 is used for a Microsoft service for file sharing. And it appears that this is a horrible port to have open 😱. For a long time this port has been known as a horrendous security hole:

“As you might imagine, malicious hackers have been having a field day scanning for port 445, then easily and remotely commandeering Windows machines.”
Gibson Research Corporation

  • 139 is also used for file sharing to Windows computers. Apparently, it is not that terrifying to have this one open.

I just created some work for myself. I will have to deal with 445 and 139. Soon. There is a reason why computer administration is a full-time job.

But, I will definitely check who else has 445 open at work 🍹.

(later that week): Ha, 12 other hosts have 445 open. I guess I will have to share the knowledge and offer to explain the danger. Again, more work.

Who said knowledge is power? Knowledge is mostly work.

What are we sharing with everybody on the network?

After the 445 gave us a scare, we might have brushed it off thinking, “It is only localhost, localhost ports are most probably not really dangerous, .. I think. They are at least benign enough for me to procrastinate on closing them for a few days/months. It is the public ports, which I will concentrate on”.

So let’s see, what is visible to other devices on our network.

$ nmap 10.0.0.8Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for Mon (10.0.0.8)
Host is up (0.00020s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1500/tcp open vlsi-lm
3306/tcp open mysql
8080/tcp open http-proxy
8888/tcp open sun-answerbook
9000/tcp open cslistener

Uh-oh, 💀 the dreaded 139 and 445 are open… Which makes sense, since they are meant for file sharing between computers, not between this computer and itself. This will need my attention ASAP.

But first, 😉 why are all the Docker ports visible to everybody? Ah… this is turning into a much bigger mess than anticipated.

After some googling, I learnt that by default Docker exposes ports to the IP address and not . The address is a placeholder address, its meaning is similar to that of in a regex. Saying “Expose ” means expose the port 30 on all IP addresses, thus also our public .

Each time you mapped a Docker port to an outside port, you were making this port publicly accessible. Great!

So, to remedy this, I might want to update the files by explicitly binding ports to IPs. Once this is done, no longer shows Docker ports among the publicly open ports.

Perfect, we finally have all ports accounted for.

Now we can move on to …

Who else is here?

For starters, let’s check which WiFi network we are connected to. Let’s run :

will display a brief summary of all available wifi access points (APs). It can also be used to connect to a selected network ().

Given that we have 3 wifi networks, we should definitely scan all 3 of them. But for starters, let’s see what is on . We will use .

To see which other hosts are “up”/“live” on our network, we need to know our IP address and our subnet mask. From running the command, we got both these details: .

A quick reminder of what a subnet mask is. The IPs of all hosts in the same network start with the same bits, only the last bits are different. Our subnet mask means that the first 24 bits will be the same. Given our IP , we know that all hosts in our network will be between and ( is the network address and is used for broadcasting).

To quickly see all devices on my network, run with the option . This means will no scan the ports, it will just return a list of “live” hosts:

$ nmap -sn 10.0.0.8/24Starting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for _gateway (10.0.0.1)
Nmap scan report for 10.0.0.3
Nmap scan report for 10.0.0.4
Nmap scan report for 10.0.0.5
Nmap scan report for MON (10.0.0.8)
Nmap scan report for 10.0.0.9
Nmap done: 256 IP addresses (6 hosts up) scanned in 15.31 seconds

There are 6 active hosts in our network. is the gateway, the router connecting our private network to the internet. is us (our computer’s name is MON).

But who are the others?

To learn more about them we can run with

  • , to see which services are listening on which ports,
  • , for the quickest and relatively stealthy scan,
  • , to enable OS detection,
  • , to enable OS detection and other features
  • , to check only the port 80
  • , to scan only TCP ports (scanning TCP ports is much quicker than scanning UTP ports).

Investigating host reveals:

$ sudo nmap -sS 10.0.0.3  -AStarting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for 10.0.0.3
PORT STATE SERVICE VERSION
80/tcp open http GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-title: Range Extender
|_Requested resource was http://10.0.0.3/login.asp
MAC Address: 09:0A:XX:XX:XX (Tenda Technology)
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
Network Distance: 1 hop
Nmap done: 1 IP address (1 host up) scanned in 20.60 seconds

Look at the line and . This host is just a WiFi range extender. A quick google search of reveals a pretty awesome Wiki page explaining that this OS is used for embedded systems, that the Mars rovers are using it, as well as the ASIMO robot and a bunch of auto manufacturers. And here I am using it to merely extend my WiFi range. This is the technology that went to Mars and I paid 40€ for the hardware, software, transportation, design,… Feels like uncovering a small jewel.

Investigating host reveals:

$ nmap -sS 10.0.0.4  -AStarting Nmap 7.60 ( https://nmap.org ) at ...
Nmap scan report for 10.0.0.4
PORT STATE SERVICE VERSION
80/tcp open http nginx
8008/tcp open http?
8009/tcp open ssl/ajp13?
| ssl-cert: Subject: commonName=XXXXXXXXXXXXXXXXXXXXX
8443/tcp open ssl/https-alt?
9000/tcp open ssl/cslistener?
MAC Address: XXXXXXXXX (Hon Hai Precision Ind.)
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (87%)
OS CPE: cpe:/h:fortinet:fortigate_100d
Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%)
No exact OS matches for host (test conditions non-ideal).
Nmap done: 1 IP address (1 host up) scanned in 187.96 seconds

This is an interesting device, it runs a full-fledged Nginx web server. And it seems to have been built by Hon Hai Precision Ind., a Taiwanese electronics contract manufacturer. Since they are a contractor, we are no closer to figuring out what device this is. The Fortinet FortiGate is a professional firewall. 3 ports are protected by SSL (the connections are encrypted).

Not knowing what this device is, is actually a happy surprise. Some people have put at least some effort into making sure this device demands a bit of know-how and effort to crack.

After checking manually, it turns out it is the TV.

Checking was an enigma. couldn’t figure out anything. I ran it with all kinds of settings, I’ve tried out all kinds of approaches, but the main problem was that this device had all ports closed. Everything. Each and every one of them.

It should come as no surprise that a port-scanning tool isn’t good at figuring out a device, which has all its ports shut. 😅

I checked manually and it was an Android smartphone.

Last one to go! What is ?

$ nmap 10.0.0.9 -sTStarting Nmap 7.60 ( https://nmap.org )...
Nmap scan report for 10.0.0.6
PORT STATE SERVICE
62078/tcp open iphone-sync
Nmap done: 1 IP address (1 host up) scanned in 40.79 seconds

What a surprise, this device practically introduced itself. It appears to be an iPhone, which apparently likes to sync something via this port.

Googling this port proved to be very Apple-like: lots of rumours lots of guesses, no official explanation. From what is written about this port, it seems to be used by iTunes for data-syncing on a WiFi network. I do wonder how often this syncing is happening and if the owner of this phone, knows about it.

Try nmap today

With just a few commands I was able to learn a great amount about the devices on my network. Pretty good, considering I just learned about this tool recently.

Now it is your turn, check your devices and your networks and try not to get in trouble.

External sources

The Startup

Medium's largest active publication, followed by +585K people. Follow to join our community.

Ines Panker

Written by

Software Developer by profession, Explorer by mind. The more I know, the more I understand. http://www.ines-panker.com/

The Startup

Medium's largest active publication, followed by +585K people. Follow to join our community.

More From Medium

More from The Startup

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade