Nightly Mac Port Scan for security (v9.0.2)

Macro Library
1

Nightly Mac Port Scan for security (v9.0.2)

Today I realized I needed to check which ports were open on my Mac. It took me half an hour to find the command line utility that performs this check (it was well hidden). Then it took me another hour to design a solution that checks once each night for port changes and send myself an SMS with a tip that a change has occurred. All nightly scans are stored in a specific folder and if three consecutive scans provide identical results then the middle of the three is deleted.

I could have sent the details of the actual change in the SMS message, but I thought that was a little unneeded complexity. The details are easily observed in the portscans directory.

Some of the wizards on this forum may find problems or suggest improvements, but I think it's a pretty good utility, which helps you maintain security, and it's a good example of some of the usefulness of Keyboard Maestro. I intend to let this run every night on any Mac I own. I wonder what other ideas I could implement like this which may help track security issues. If you have any ideas let me know below.

Nightly Mac Port Scan for security.kmmacros (8.3 KB)

Keyboard Maestro Export.png1554×4272 668 KB

2 Likes
2

So I've been running this macro at 3am each night :night_with_stars: for several days. It's pretty scary. :scream: Some unexpected ports were opened up at night. :open_mouth: One of them was a port for a file sharing service that I have never used in my life on any computer. :cold_sweat: I'm probably paranoid :flushed: but could that mean someone has tapped into my Mac? :apple: Maybe, or maybe I'm just paranoid. :grimacing: I'll have to keep an eye on this. :male_detective: "They" might be watching me right now. :thinking: Good thing I have the case for my glasses perched on the top of my iMac covering the camera. :dark_sunglasses:

I have a couple of other Macs in my house and I should run this macro on them to compare the results.

3

This is a very interesting workflow. Leveraging the builtin stroke, I haven't seen that used much to be honest. And I am a Security Engineer by Trait. Often times you find stuff that can be quite concerning and yet happens be very common.

Good work on this!

4

Bonjour, @Sleepy.

i've started running this macro. i got a phone error because i wasn't sure how to enter my French number but that's not a huge deal at this point.

Last night i had 9 TCP Ports that were open. Can you point me in the direction of knowing what to do with this information?

Merci,

5

I want to add, ports are a required functional on all devices with an communication that use the Internet Protocol.

If you open Terminal and run the below it will tell you what app has what port open. Which you can then research that app

 lsof -nP -iTCP | grep LISTEN | awk '{ print $1 "\t\t"  $9 }'
6

Thanks for that. I got this:

rapportd *:49196
rapportd *:49196
Keyboard *:4490
Keyboard *:4490
Keyboard *:4491
Keyboard *:4491
Dropbox *:17500
Dropbox *:17500
Dropbox 127.0.0.1:17600
Dropbox 127.0.0.1:17603
LogiMgrDa *:59866

I'm guessing that "Keyboard" refers to either "Keyboard Maestro" or "Keyboard Maestro Engine", since those are the only two that show up in Activity Monitor.

Is it possible to output the full name of the process?

7

Yes sir, adjust the numbers after +c to your liking, +cDIGIT is the number of characters of the process name to include

lsof +c100 -nP -iTCP | grep LISTEN | awk '{ print $1 "\t\t"  $9 }'

This one if you want to see both TCP and UDP Results

lsof +c100 -nP  | grep LISTEN | awk '{ print $1 "\t\t\t\t" $8 "\t\t"  $9 }'
8

Thanks for the update.
Unfortunately, that doesn't seem to work for me:

lsof +c100 -nP -iTCP | grep LISTEN | awk '{ print $1 "\t\t" $9 }'
lsof: +c 100 > what system provides (15)
lsof 4.89
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhlnNoOPRtUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.

9

Ah, you system is limited to 15.

lsof +c15 -nP -iTCP | grep LISTEN | awk '{ print $1 "\t\t"  $9 }'

That should work or try

lsof +c 0 -nP -iTCP | grep LISTEN | awk '{ print $1 "\t\t"  $9 }'
10

I just discovered and tried using the +c 0, which means to provide all characters of the name that are available.

Here's what I got:

 lsof +c 0 -nP -iTCP | grep LISTEN | awk '{ print $1 "\t\t"  $9 }'
rapportd *:56491
rapportd *:56491
Keyboard\x20Maestro\x20Engine *:4490
Keyboard\x20Maestro\x20Engine *:4490
Keyboard\x20Maestro\x20Engine *:4491
Keyboard\x20Maestro\x20Engine *:4491
Dropbox *:17500
Dropbox *:17500
Dropbox 127.0.0.1:17600
Dropbox 127.0.0.1:17603
LogiMgrDaemon *:59866

For anyone following this, here is the command I should have tried at the beginning to find out the parameters of this command:

man lsof

man is the command for manual that generally provides detailed documentation of the command used in its parameter.

11

Awesome! I imagine those are all expected. Glad I could help