PDA

View Full Version : What ports are open????


mikmik
07-18-2004, 08:12 PM
There are all sorts of warnings these days about trojans and worms opening ports on our computers.
Ports are 'software interfaces' between your computer OS and your network interface card or modem.

Here is a look at my ports just now:

4:12 PM 7/18/2004

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

F:\WINDOWS\system32>"F:\Documents and Settings\aamikmika\Desktop\openports.exe"
DiamondCS OpenPorts v1.0 (-? for help)
Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
Free for personal and educational use only. See openports.txt for more details.
__________________________________________________ _____________________________

SYSTEM [4]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 192.168.168.103:139 0.0.0.0:0 LISTENING
UDP 192.168.168.103:137 0.0.0.0:0 LISTENING
UDP 192.168.168.103:138 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
svchost.exe [596]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
svchost.exe [680]
UDP 0.0.0.0:1683 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1684 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1549 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1685 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1030 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1682 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1178 0.0.0.0:0 LISTENING
inetinfo.exe [848]
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
ccApp.exe [1412]
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING

F:\WINDOWS\system32>

I have included the url above (it shows when you run this, I will get to that) where I got the 'program'.

What you see above is my command prompt window that is included with Windows 2000 and XP. (I copied it by clicking on the little icon at the top left of the window, choosing 'edit\select all' and then doing that again using 'copy')

If you have open connections, they will show as IPes in the foriegn address column. They should ALL BE 0.0.0.0, or *.* if you don't have a browser or connection to the internet open.

This example is not typical, usually the UDP ports should have *.* as the foriegn address, UDP being a connectionless protocol. I am also behind a NAT router, so all my connections show as local ie. 192.168.xxx.xxx .

How to get this readout?

You can get the download the 'open ports' from CiamondCS (makers of Sygate personal Firewall) and then run it with the command promt. Where the heck is the command prompt at?

It is at (LOL):
start button/(All - Win XP) Programs/Accessories/Command Prompt , or you can go to 'Start/Run' and type 'cmd.exe' (no quotes) in the box and then hit 'enter' on your keyboard, or click the 'OK' button. Then you 'drag and drop' the download you got, the http://factor1.net/temp/openports.jpg thing! LOFL
Then click on the command window to focus it again, and hit your enter key. Voila.

You can get a very similar output by just opening the command prompt and typing 'netstat -an' (space between the 't' and the '-') and hit enter.

Here is what mine looks like with with the connection to this post I am making open, using the 'nestat -an' command:


Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

F:\WINDOWS\system32>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2010 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2009 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2009 127.0.0.1:2010 ESTABLISHED
TCP 127.0.0.1:2010 127.0.0.1:2009 ESTABLISHED
TCP 192.168.168.103:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1030 *:*
UDP 0.0.0.0:1178 *:*
UDP 0.0.0.0:1549 *:*
UDP 0.0.0.0:1682 *:*
UDP 0.0.0.0:1683 *:*
UDP 0.0.0.0:1684 *:*
UDP 0.0.0.0:1685 *:*
UDP 127.0.0.1:1926 *:*
UDP 192.168.168.103:137 *:*
UDP 192.168.168.103:138 *:*

F:\WINDOWS\system32>

I think we could turn this into a tutorial, and a good way to learn some network and security savvy. If anyone wants to try this and post their results, we can get into deciphering the results, including how to find out what the port numbers mean (what the ports are used for) and also the processes running on our machines that are resonsible for those ports being used.

It would also tie in nicely with using the 'PortScan' at this site: Sheilds Up! (http://www.grc.com/x/ne.dll?rh1dkyd2)

Lets have some fun, and get to know stuff!
dkginternet
07-22-2004, 11:42 AM
Here's what I got just using the dos prompt and netstat command with 3 browsers and mail program open:

C:\WINDOWS>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:2389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1487 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1501 0.0.0.0:0 LISTENING
TCP 10.0.0.4:2306 64.233.167.99:80 TIME_WAIT
TCP 10.0.0.4:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2389 127.0.0.1:1025 CLOSE_WAIT
TCP 127.0.0.1:1487 127.0.0.1:1025 CLOSE_WAIT
TCP 127.0.0.1:1501 127.0.0.1:1025 CLOSE_WAIT
UDP 0.0.0.0:2407 *:*
UDP 10.0.0.4:137 *:*
UDP 10.0.0.4:138 *:*
UDP 127.0.0.1:1028 *:*

C:\WINDOWS>

-------------------------------------------

I have what I think are the top security resources listed/linked at:
http://www.dkgnet.com/web_site_tools.html

Anyone heard of wpad.dat ... I've done a study on this and would like to discuss it's use with someone!
mikmik
07-22-2004, 09:20 PM
Were you doing an update? Those TCP 10.0.0.4:xxxx look like Microsoft or other Timeservers, maybe a wake-on-lan?

That is very clean looking.

You also have an extremely good security resource site there, may I post it here somewhere?

I think that some general resource and reference site listings would be a great sticky to have.
wen?
DrTandem1
07-27-2004, 10:14 PM
Go to Shields Up:

https://grc.com/x/ne.dll?bh0bkyd2
colr
07-28-2004, 05:07 AM
It's perhaps worthwhile pointing out to any beginners out there, that using netstat does not take into account the fact that you may be sitting behind a firewall.

For example, your computer may report that some oddball port like 1387 is open, but if you have applied egress filtering and strict inbound rules to your firewall, then this port is not physically open to the outside Internet.

Egress filtering = stopping outbound traffic by blocking all ports except those specifically required.

Could someone clarify the following for me:

ESTABLISHED - I assumes this is an extablished connection, on the specified port, from the local to the foreign address.

LISTENING - port on local machine listening for connections. Once a connection is requested and accepted, the status becomed ESTABLISHED.

CLOSE_WAIT - ?

TIME_WAIT - ?

Heres an interesting question also - when a connection exists between a remote and local host, are both port numbers always the same? In other words if I send a TCP connection request to a remote computer from port 45 on my machine, does it have to connect to port 45 on the remote mahine, or can this differ?

This is a brain-teaser I've come across whith programming java socket connections.

Many thanks!