I commented that PortQry could probably use a tutorial so I've decided to write one. I'm going to cover a few of the unique and not-so-unique features of the software. You can obtain PortQry from http://www.microsoft.com/downloads/d...displaylang=en.
Sections
- Breakdown of /? (section by section)
- Testing a Port (Troubleshooting)
- Testing a Service Set (Troubleshooting)
- Port Scanning
- Using PortQry to watch for Trojans.
- Monitoring a Service
Breakdown of /?
Code:
D:\Program Files\Support Tools>PortQry /?
PortQry version 2.0
Displays the state of TCP and UDP ports
Command line mode: portqry -n name_to_query [-options]
Interactive mode: portqry -i [-n name_to_query] [-options]
Local Mode: portqry -local | -wpid pid| -wport port [-options]
As you can see you have three options with PortQry... CLI, Interactive and Local Mode. CLI allows you to call a single command and recieve the output... we'll use this while we're scripting. The Interactive Mode allows you to run a series of tests against a single node. Local mode allows you to more closely example the PC which you are running PortQry on.
Command line mode options explained:
-n [name_to_query] IP address or name of system to query
-p [protocol] TCP or UDP or BOTH (default is TCP)
-e [endpoint] single port to query (valid range: 1-65535)
-r [end point range] range of ports to query (start:end)
-o [end point order] range of ports to query in an order (x,y,z)
-l [logfile] name of text log file to create
-y overwrites existing text log file without prompting
-sp [source port] initial source port to use for query
-sl 'slow link delay' waits longer for UDP replies from remote systems
-nr by-passes default IP address-to-name resolution
ignored unless an IP address is specified after -n
-cn specifies SNMP community name for query
ignored unless querying an SNMP port
must be delimited with !
-q 'quiet' operation runs with no output
returns 0 if port is listening
returns 1 if port is not listening
returns 2 if port is listening or filtered
Notes: PortQry runs on Windows 2000 and later systems
Defaults: TCP, port 80, no log file, slow link delay off
Hit Ctrl-c to terminate prematurely
Not a lot to explain here... you could really look this over yourself by running the command, but this way I ensure that you've read it over first... I would say note the -q option, however I've had varied success with it... otherwise it would be the ultimate scripting tool.
Code:
Interactive Mode:
Used as an alternative to command line mode
portqry -i [-options]
For help with Interactive mode options:
- run portqry.exe
- then type 'help' <enter>
example:
portqry -i -n server1 -e 135 -p both
Interactive mode allows for the same functionality as CLI mode, however it drops you into a PortQry prompt to execute the commands.
Code:
Local Mode:
Local Mode used to get detailed data on local system's ports
Local mode options explained:
-local enumerates local port usage, port to process mapping,
service port usage, and lists loaded modules
-wport [port_number] watches specified port
reports when port's connection status changes
-wpid [process_ID] watches specified process ID (PID)
reports when PID's connection status changes
-wt [seconds] watch time option
specifies how often to check for status changes
valid range: 1 - 1200 seconds
default value is 60 seconds
-l [logfile] name of text log file to create
-v requests verbose output
Notes: PortQry runs on Windows 2000 and later systems
For best results run in context of local administrator
Port to process mapping may not be available on all systems
Hit Ctrl-c to terminate prematurely
Local mode is very nice... especially on it's own.. it'll tell you the mapping of processes to listening/established connections. Think of this as a mixed netstat/fport with a bit more details. The monitoring service is also provided here which is a nice function.
Now.... on with the tutorial.
Testing a Port
Testing a port is very simple, but we might as we cover the basics rather than jump into advanced stuff and leave people floating behind. This will be done using the CLI.... here's an example of how you do it.
Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 07:52:57 +0000
As you can see this is a fairly basic example, it's actually included in the help, however now you can see the output. It resolves the address (which fails in this case...we could bypass this by simply giving the no resolve option (-nr) ). We are told the service is smtp, that it's listening and the banner is returned. Nothing overly intense, just a very simple test of a port to see if a service is running or not. We'll demonstrate a complete port scan (or partial port scan) in the upcoming sections. However, first I'd like to show you something special that you can do while you are in Interactive mode.
Testing a Service Set
Something that you can do is test a complete service set. Perhaps you want to test the functionality of a mail server... You don't want to run the above command three times, you could use a port scan... but PortQry allows for you to perform certain service checks (as long as they're using the standard port numbers) while in Interactive mode.
Let's take a quick look at interactive mode to understand what we can and can't do.
Current option values:
end port= 80
protocol= TCP
source port= 0 (ephemeral)
Reverse name lookup disabled
>
This command has put us into interactive mode and specified the default node (For those interested this is a Debian host running through Cooperative Linux. The host is Windows XP SP2 @ 192.168.1.100).
Let's run the help command to see fully what our options are.
Code:
> help
Valid Commands:
===============
help or ? - display info on common commands
phelp or ?p - display list of frequently used ports
node NAME - set default node to query, NAME or IP address
query or q - send query to default node
set OPTION=value
Options:
all - display current option values
port=n - set port number to query
- set port= or set e=
sport=n - set source port number, 0=ephemeral
- set sport= or set sp=
protocol=p - set protocol used for query, TCP, UDP, or BOTH
- set protocol= or set p=
cn=string - set SNMP community name
- default is set to public
nr - toggles reverse name lookups
- enables/disables resolving node IP address to name
sl - toggles slow link delay for UDP queries
- doubles timeout period waiting for UDP responses
query shortcut - sends queries associated with shortcut
Shortcuts:
DNS - queries TCP & UDP port 53
FTP - queries TCP port 21
IMAP - queries TCP port 143
IPSEC - queries UDP port 500
ISA - queries TCP & UDP port 1745
LDAP - queries TCP & UDP port 389
L2TP - queries UDP port 1701
MAIL - queries TCP ports 25,110,143
POP3 - queries TCP port 110
RPC - queries TCP & UDP port 135
SMTP - queries TCP port 25
SNMP - queries UDP port 161
SQL - queries TCP port 1433 & UDP port 1434
TFTP - queries UDP port 69
example: q mail
As you can see there are shortcuts that will send preconfigured queries based on the ports used by different services. We'll use their example and take a look at the output of running the q mail command.
Code:
> q mail
resolving service name using local services file...
TCP port resolved to the 'smtp' service
TCP port 25 (smtp service): LISTENING
Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:04:05 +0000
>
resolving service name using local services file...
TCP port resolved to the 'pop3' service
TCP port 110 (pop3 service): NOT LISTENING
>
resolving service name using local services file...
TCP port resolved to the 'imap' service
TCP port 143 (imap service): NOT LISTENING
>
As you can see each of the ports displays either a listening or not listening state, the service name and the banner (if the port is listening). Let's take a quick look at the output from ippl (let's us see basic connection attempts to our debian node)..
Code:
colinux:~# ippl -n
Jan 8 08:05:01 IP Protocols Logger: started.
Jan 8 08:05:07 smtp connection attempt from 192.168.1.100
Jan 8 08:05:07 pop3 connection attempt from 192.168.1.100 Jan 8 08:05:08 last message repeated 2 time(s)
Jan 8 08:05:08 imap2 connection attempt from 192.168.1.100 Jan 8 08:05:09 last message repeated 2 time(s)
Note the lines in italics... to ensure that it wasn't just a lost packet that lead to the assumption that the port is not listening, PortQry will send three queries to the port..
I have followed the tcp stream in ethereal (a screenshot is available @ http://www.aoaddicts.net/htregz/portqry/ethereal1.jpg) and the software simply sends an SYN packet to the port in question, if there's no reponse received then the packet is sent two more times, if a response is received, then the software will return a RST, ACK.
These are the bare bones of the software functionality... this was more to let you see the output and give you a bit of an understanding of what is happening underneath the software. Now we'll take a look at running a portscan from the software. Again a basic, but we'll call it level 2 for the hell of it.
Port Scanning
We'll run the port scans from the CLI and again this is a fairly simple process.
As you can see we told the software to scan our debian node, ports 1 - 1024 and to not resolve the IP, we're also dumping a log file. I could have specified if I wanted TCP, UDP or BOTH using the -p option, or I could have specified a source port (-sp), however I didn't feel the need to use either of those to make an example of the port scan options. You can see that ports are identified as listening or not listening and when possible the service is named (echo, discard, systate, daytime).
In this following section, you can see that you will also obtain the banners when available
Code:
TCP port 24 (unknown service): NOT LISTENING
TCP port 25 (smtp service): LISTENING
Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:16:28 +0000
TCP port 26 (unknown service): NOT LISTENING
TCP port 27 (unknown service): NOT LISTENING
That's basically all there is to a port scan.... Nothing advanced so far, just basic functionality of the software... consider this a walk-through... Now let's see how we can use PortQry to check for Trojans, RATs, or any PhoneHome software that may be on our system.
Using PortQry to watch for Trojans.
In order to demonstrate this we'll use PortQry in local mode. A complete log of the program being executed on my PC can be found @ http://www.aoaddicts.net/htregz/portqry/local.txt. This can be useful to track down exactly which application has an established connection. Let's take a look at some of the output in the file and then examine how this can help us trackdown any nasty malware that's opening/using our ports.
Let's look at how it helps me breakdown IP communication to my PC
First I'm giving a completely statistical breakdown of protocols and states
Code:
Port Statistics
TCP mappings: 96
UDP mappings: 20
TCP ports in a LISTENING state: 11 = 11.46%
TCP ports in a SYN SENT state: 1 = 1.04%
TCP ports in a SYN RECEIVED state: 1 = 1.04%
TCP ports in a ESTABLISHED state: 57 = 59.38%
TCP ports in a FIN WAIT-1 state: 5 = 5.21%
TCP ports in a CLOSE WAIT state: 4 = 4.17%
TCP ports in a TIME WAIT state: 17 = 17.71%
I'm also given detailed breakdowns by process/process ID
As you can see I'm connected to a large number of hosts for the file that I'm downloading through Bit Torrent... but if I saw a weird IP showing up that I didn't know, I could simply check this list and see if it was someone that was connecting because of my current torrent downloads. The process is identified as is the process id and then all the connections and their current states.
Let's look at what this will do for us with services as well. We'll use one of the running copies of svchost and look at how it helps us break it down.
Code:
Process ID: 1076 (svchost.exe)
Service Name: DcomLaunch
Display Name: DCOM Server Process Launcher
Service Type: shares a process with other services
Service Name: TermService
Display Name: Terminal Services
Service Type: shares a process with other services
PID Port Local IP State Remote IP:Port
1076 TCP 3389 0.0.0.0 LISTENING 0.0.0.0:2144
As you can see we get the Name and Type of each service... so we can see which services are running themselves inside svchost. TermService also opens up a port (3389), we also see that it is listening... all in one nice neat chart.
Now let's go on to malware detection. I'm going to use netcat in this case to open the ports for testing purposes... but I think you already know where this is going. You can view the logfile with my 'malware' running @ http://www.aoaddicts.net/htregz/port...al-malware.txt
As you can easily see... an application that I was previously unaware of has opened a port on my PC and is listening for connections.
This is one of the best features of PortQry in my opinion... This could be handy if installed on each machine on a domain in conjunction with pstools (or in a script) to check the current port activity on end-user machines.
Let's take a look now at the last real feature of PortQry before we move on to some of the things that we can do with it.
Monitoring a Port/Service
We can monitor local ports (or services attached to those ports) quite simply using portqry.
============
System Date: Sun Jan 08 02:46:07 2006
PID Port Local IP State Remote IP:Port
3060 TCP 25 0.0.0.0 LISTENING 0.0.0.0:38958
Port Statistics
TCP mappings: 1
UDP mappings: 0
TCP ports in a LISTENING state: 1 = 100.00%
============
System Date: Sun Jan 08 02:46:14 2006
============
System Date: Sun Jan 08 02:46:14 2006
Specified port currently does not have any port mappings
TCP mappings: 0
UDP mappings: 0
PID Port Local IP State Remote IP:Port
Port Statistics
TCP mappings: 0
UDP mappings: 0
What I did was tell portqry to monitor port 25 on my system and keep an eye on it's status (checking every 2 seconds). When I started the process, port 25 was closed.. I then proceeded to open netcat listening on port 25. The first group of italics was created as soon as it saw that the port was now listening. The second group of italics shows that the port was closed (I killed netcat) and that there's now nothing listening. In essence that's all there is to port monitoring...
There's not a lot here... just an introduction for those of you that haven't used it before.... I've got a few uses for this that I'm going to use to kill some time at work... I'm going to create a VBS Script to monitor the services on a machine and email me when they go down (perhaps SMS)... I'm also going to create a python script to parse the log files and leave only open ports... Perhaps I'll do it with VBS as well.... If I can get -q to work, I'll also create some scripts on that... I'm also working on one troubleshooting script that will run a little bit of everything and return all the results formatted.... I'm turn those all into an Advanced Tutorial on PortQry.... for now here's the basics..
