Hey Hey,
I commented that PortQry could probably use a tutorial so I've decided to write one. I'm going to cover a few of the unique and not-so-unique features of the software. You can obtain PortQry from http://www.microsoft.com/downloads/d...displaylang=en.
Sections
- Breakdown of /? (section by section)
- Testing a Port (Troubleshooting)
- Testing a Service Set (Troubleshooting)
- Port Scanning
- Using PortQry to watch for Trojans.
- Monitoring a Service
Breakdown of /?
Code:
D:\Program Files\Support Tools>PortQry /?
PortQry version 2.0
Displays the state of TCP and UDP ports
Command line mode: portqry -n name_to_query [-options]
Interactive mode: portqry -i [-n name_to_query] [-options]
Local Mode: portqry -local | -wpid pid| -wport port [-options]
As you can see you have three options with PortQry... CLI, Interactive and Local Mode. CLI allows you to call a single command and recieve the output... we'll use this while we're scripting. The Interactive Mode allows you to run a series of tests against a single node. Local mode allows you to more closely example the PC which you are running PortQry on.
Code:
Command line mode:
portqry -n name_to_query [-p protocol] [-e || -r || -o endpoint(s)] [-q]
[-l logfile] [-sp source_port] [-sl] [-cn SNMP community name]
Command line mode options explained:
-n [name_to_query] IP address or name of system to query
-p [protocol] TCP or UDP or BOTH (default is TCP)
-e [endpoint] single port to query (valid range: 1-65535)
-r [end point range] range of ports to query (start:end)
-o [end point order] range of ports to query in an order (x,y,z)
-l [logfile] name of text log file to create
-y overwrites existing text log file without prompting
-sp [source port] initial source port to use for query
-sl 'slow link delay' waits longer for UDP replies from remote systems
-nr by-passes default IP address-to-name resolution
ignored unless an IP address is specified after -n
-cn specifies SNMP community name for query
ignored unless querying an SNMP port
must be delimited with !
-q 'quiet' operation runs with no output
returns 0 if port is listening
returns 1 if port is not listening
returns 2 if port is listening or filtered
Notes: PortQry runs on Windows 2000 and later systems
Defaults: TCP, port 80, no log file, slow link delay off
Hit Ctrl-c to terminate prematurely
examples:
portqry -n myserver.com -e 25
portqry -n 10.0.0.1 -e 53 -p UDP -i
portqry -n host1.dev.reskit.com -r 21:445
portqry -n 10.0.0.1 -o 25,445,1024 -p both -sp 53
portqry -n host2 -cn !my community name! -e 161 -p udp
Not a lot to explain here... you could really look this over yourself by running the command, but this way I ensure that you've read it over first... I would say note the -q option, however I've had varied success with it... otherwise it would be the ultimate scripting tool.
Code:
Interactive Mode:
Used as an alternative to command line mode
portqry -i [-options]
For help with Interactive mode options:
- run portqry.exe
- then type 'help' <enter>
example:
portqry -i -n server1 -e 135 -p both
Interactive mode allows for the same functionality as CLI mode, however it drops you into a PortQry prompt to execute the commands.
Code:
Local Mode:
Local Mode used to get detailed data on local system's ports
portqry -local | -wpid pid | -wport port [-wt seconds] [-l logfile] [-v]
Local mode options explained:
-local enumerates local port usage, port to process mapping,
service port usage, and lists loaded modules
-wport [port_number] watches specified port
reports when port's connection status changes
-wpid [process_ID] watches specified process ID (PID)
reports when PID's connection status changes
-wt [seconds] watch time option
specifies how often to check for status changes
valid range: 1 - 1200 seconds
default value is 60 seconds
-l [logfile] name of text log file to create
-v requests verbose output
Notes: PortQry runs on Windows 2000 and later systems
For best results run in context of local administrator
Port to process mapping may not be available on all systems
Hit Ctrl-c to terminate prematurely
examples:
portqry -local
portqry -local -l logfile.txt -v
portqry -wpid 1272 -wt 5 -l logfile.txt -y -v
portqry -wport 53 -l dnslog.txt
Local mode is very nice... especially on it's own.. it'll tell you the mapping of processes to listening/established connections. Think of this as a mixed netstat/fport with a bit more details. The monitoring service is also provided here which is a nice function.
Now.... on with the tutorial.
Testing a Port
Testing a port is very simple, but we might as we cover the basics rather than jump into advanced stuff and leave people floating behind. This will be done using the CLI.... here's an example of how you do it.
Code:
D:\Program Files\Support Tools>portqry -n 192.168.1.99 -e 25
Querying target system called:
192.168.1.99
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 25 (smtp service): LISTENING
Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 07:52:57 +0000
As you can see this is a fairly basic example, it's actually included in the help, however now you can see the output. It resolves the address (which fails in this case...we could bypass this by simply giving the no resolve option (-nr) ). We are told the service is smtp, that it's listening and the banner is returned. Nothing overly intense, just a very simple test of a port to see if a service is running or not. We'll demonstrate a complete port scan (or partial port scan) in the upcoming sections. However, first I'd like to show you something special that you can do while you are in Interactive mode.
Testing a Service Set
Something that you can do is test a complete service set. Perhaps you want to test the functionality of a mail server... You don't want to run the above command three times, you could use a port scan... but PortQry allows for you to perform certain service checks (as long as they're using the standard port numbers) while in Interactive mode.
Let's take a quick look at interactive mode to understand what we can and can't do.
Code:
D:\Program Files\Support Tools>portqry -i -n 192.168.1.99 -nr
PortQry Interactive Mode
Type 'help' for a list of commands
Default Node: 192.168.1.99
Current option values:
end port= 80
protocol= TCP
source port= 0 (ephemeral)
Reverse name lookup disabled
>
This command has put us into interactive mode and specified the default node (For those interested this is a Debian host running through Cooperative Linux. The host is Windows XP SP2 @ 192.168.1.100).
Let's run the help command to see fully what our options are.
Code:
> help
Valid Commands:
===============
help or ? - display info on common commands
phelp or ?p - display list of frequently used ports
node NAME - set default node to query, NAME or IP address
query or q - send query to default node
set OPTION=value
Options:
all - display current option values
port=n - set port number to query
- set port= or set e=
sport=n - set source port number, 0=ephemeral
- set sport= or set sp=
protocol=p - set protocol used for query, TCP, UDP, or BOTH
- set protocol= or set p=
cn=string - set SNMP community name
- default is set to public
nr - toggles reverse name lookups
- enables/disables resolving node IP address to name
sl - toggles slow link delay for UDP queries
- doubles timeout period waiting for UDP responses
query shortcut - sends queries associated with shortcut
Shortcuts:
DNS - queries TCP & UDP port 53
FTP - queries TCP port 21
IMAP - queries TCP port 143
IPSEC - queries UDP port 500
ISA - queries TCP & UDP port 1745
LDAP - queries TCP & UDP port 389
L2TP - queries UDP port 1701
MAIL - queries TCP ports 25,110,143
POP3 - queries TCP port 110
RPC - queries TCP & UDP port 135
SMTP - queries TCP port 25
SNMP - queries UDP port 161
SQL - queries TCP port 1433 & UDP port 1434
TFTP - queries UDP port 69
example: q mail
As you can see there are shortcuts that will send preconfigured queries based on the ports used by different services. We'll use their example and take a look at the output of running the q mail command.
Code:
> q mail
resolving service name using local services file...
TCP port resolved to the 'smtp' service
TCP port 25 (smtp service): LISTENING
Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:04:05 +0000
>
resolving service name using local services file...
TCP port resolved to the 'pop3' service
TCP port 110 (pop3 service): NOT LISTENING
>
resolving service name using local services file...
TCP port resolved to the 'imap' service
TCP port 143 (imap service): NOT LISTENING
>
As you can see each of the ports displays either a listening or not listening state, the service name and the banner (if the port is listening). Let's take a quick look at the output from ippl (let's us see basic connection attempts to our debian node)..
Code:
colinux:~# ippl -n
Jan 8 08:05:01 IP Protocols Logger: started.
Jan 8 08:05:07 smtp connection attempt from 192.168.1.100
Jan 8 08:05:07 pop3 connection attempt from 192.168.1.100
Jan 8 08:05:08 last message repeated 2 time(s)
Jan 8 08:05:08 imap2 connection attempt from 192.168.1.100
Jan 8 08:05:09 last message repeated 2 time(s)
Note the lines in italics... to ensure that it wasn't just a lost packet that lead to the assumption that the port is not listening, PortQry will send three queries to the port..
I have followed the tcp stream in ethereal (a screenshot is available @ http://www.aoaddicts.net/htregz/portqry/ethereal1.jpg) and the software simply sends an SYN packet to the port in question, if there's no reponse received then the packet is sent two more times, if a response is received, then the software will return a RST, ACK.
These are the bare bones of the software functionality... this was more to let you see the output and give you a bit of an understanding of what is happening underneath the software. Now we'll take a look at running a portscan from the software. Again a basic, but we'll call it level 2 for the hell of it.
Port Scanning
We'll run the port scans from the CLI and again this is a fairly simple process.
I'll truncate this because the output is rather large, however the full log file of the scan can be seen @ http://www.aoaddicts.net/htregz/portqry/portscan.txt.
Code:
D:\Program Files\Support Tools>portqry -r 1:1024 -n 192.168.1.99 -nr -l portscan.txt
Creating log file called portscan.txt
Querying target system called:
192.168.1.99
TCP port 1 (unknown service): NOT LISTENING
TCP port 2 (unknown service): NOT LISTENING
TCP port 3 (unknown service): NOT LISTENING
TCP port 4 (unknown service): NOT LISTENING
TCP port 5 (unknown service): NOT LISTENING
TCP port 6 (unknown service): NOT LISTENING
TCP port 7 (echo service): NOT LISTENING
TCP port 8 (unknown service): NOT LISTENING
TCP port 9 (discard service): LISTENING
TCP port 10 (unknown service): NOT LISTENING
TCP port 11 (systat service): NOT LISTENING
TCP port 12 (unknown service): NOT LISTENING
TCP port 13 (daytime service): LISTENING
As you can see we told the software to scan our debian node, ports 1 - 1024 and to not resolve the IP, we're also dumping a log file. I could have specified if I wanted TCP, UDP or BOTH using the -p option, or I could have specified a source port (-sp), however I didn't feel the need to use either of those to make an example of the port scan options. You can see that ports are identified as listening or not listening and when possible the service is named (echo, discard, systate, daytime).
In this following section, you can see that you will also obtain the banners when available
Code:
TCP port 24 (unknown service): NOT LISTENING
TCP port 25 (smtp service): LISTENING
Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:16:28 +0000
TCP port 26 (unknown service): NOT LISTENING
TCP port 27 (unknown service): NOT LISTENING
That's basically all there is to a port scan.... Nothing advanced so far, just basic functionality of the software... consider this a walk-through... Now let's see how we can use PortQry to check for Trojans, RATs, or any PhoneHome software that may be on our system.
Using PortQry to watch for Trojans.
In order to demonstrate this we'll use PortQry in local mode. A complete log of the program being executed on my PC can be found @ http://www.aoaddicts.net/htregz/portqry/local.txt. This can be useful to track down exactly which application has an established connection. Let's take a look at some of the output in the file and then examine how this can help us trackdown any nasty malware that's opening/using our ports.
Let's look at how it helps me breakdown IP communication to my PC
First I'm giving a completely statistical breakdown of protocols and states
Code:
Port Statistics
TCP mappings: 96
UDP mappings: 20
TCP ports in a LISTENING state: 11 = 11.46%
TCP ports in a SYN SENT state: 1 = 1.04%
TCP ports in a SYN RECEIVED state: 1 = 1.04%
TCP ports in a ESTABLISHED state: 57 = 59.38%
TCP ports in a FIN WAIT-1 state: 5 = 5.21%
TCP ports in a CLOSE WAIT state: 4 = 4.17%
TCP ports in a TIME WAIT state: 17 = 17.71%
I'm also given detailed breakdowns by process/process ID
Code:
======================================================
Process ID: 2164 (BitComet.exe)
Process doesn't appear to be a service
PID Port Local IP State Remote IP:Port
2164 TCP 12642 0.0.0.0 LISTENING 0.0.0.0:4155
2164 TCP 1887 192.168.1.100 ESTABLISHED 70.24.22.110:7795
2164 TCP 2076 192.168.1.100 ESTABLISHED 172.202.108.108:14218
2164 TCP 2124 192.168.1.100 ESTABLISHED 84.48.36.33:6881
2164 TCP 2140 192.168.1.100 ESTABLISHED 65.95.239.178:6881
2164 TCP 2210 192.168.1.100 ESTABLISHED 70.48.118.234:32459
2164 TCP 2287 192.168.1.100 ESTABLISHED 24.0.213.39:20002
2164 TCP 2298 192.168.1.100 ESTABLISHED 24.36.208.215:6881
2164 TCP 2305 192.168.1.100 ESTABLISHED 24.74.134.230:28100
2164 TCP 2306 192.168.1.100 ESTABLISHED 12.217.47.125:6882
2164 TCP 2309 192.168.1.100 ESTABLISHED 64.81.136.203:43212
2164 TCP 2310 192.168.1.100 ESTABLISHED 82.24.44.72:6881
2164 TCP 2311 192.168.1.100 ESTABLISHED 24.70.130.26:49200
2164 TCP 2319 192.168.1.100 ESTABLISHED 71.195.85.249:6881
2164 TCP 2322 192.168.1.100 ESTABLISHED 24.5.230.153:21345
2164 TCP 2323 192.168.1.100 ESTABLISHED 24.87.73.13:6881
2164 TCP 2325 192.168.1.100 ESTABLISHED 24.37.43.204:6881
2164 TCP 2326 192.168.1.100 ESTABLISHED 62.131.87.190:51015
2164 TCP 2327 192.168.1.100 ESTABLISHED 68.107.65.68:16151
2164 TCP 2331 192.168.1.100 ESTABLISHED 24.0.238.181:6881
2164 TCP 2333 192.168.1.100 ESTABLISHED 64.231.136.17:32250
2164 TCP 2338 192.168.1.100 ESTABLISHED 145.94.79.173:6346
2164 TCP 2339 192.168.1.100 ESTABLISHED 24.68.15.196:6881
2164 TCP 2343 192.168.1.100 ESTABLISHED 84.48.83.59:49152
2164 TCP 2346 192.168.1.100 ESTABLISHED 24.76.66.18:6881
2164 TCP 2347 192.168.1.100 ESTABLISHED 81.79.130.230:10810
2164 TCP 2355 192.168.1.100 ESTABLISHED 24.180.216.170:65500
2164 TCP 2412 192.168.1.100 ESTABLISHED 142.166.201.31:22628
2164 TCP 2439 192.168.1.100 ESTABLISHED 12.210.9.136:6881
2164 TCP 2608 192.168.1.100 ESTABLISHED 59.167.61.87:6881
2164 TCP 2609 192.168.1.100 FIN WAIT-1 82.39.210.171:6881
2164 TCP 12642 192.168.1.100 ESTABLISHED 12.208.111.144:2387
2164 TCP 12642 192.168.1.100 FIN WAIT-1 12.216.165.127:4269
2164 TCP 12642 192.168.1.100 ESTABLISHED 12.221.46.141:3428
2164 TCP 12642 192.168.1.100 ESTABLISHED 24.43.107.37:1816
2164 TCP 12642 192.168.1.100 ESTABLISHED 24.43.107.37:1962
2164 TCP 12642 192.168.1.100 ESTABLISHED 24.84.208.190:4291
2164 TCP 12642 192.168.1.100 ESTABLISHED 24.87.12.178:4480
2164 TCP 12642 192.168.1.100 ESTABLISHED 24.171.1.44:32937
2164 TCP 12642 192.168.1.100 ESTABLISHED 65.43.221.86:4183
2164 TCP 12642 192.168.1.100 ESTABLISHED 69.193.226.114:4894
2164 TCP 12642 192.168.1.100 ESTABLISHED 69.194.43.235:61264
2164 TCP 12642 192.168.1.100 ESTABLISHED 70.27.71.95:4062
2164 TCP 12642 192.168.1.100 ESTABLISHED 70.29.248.247:3846
2164 TCP 12642 192.168.1.100 FIN WAIT-1 70.30.118.53:3451
2164 TCP 12642 192.168.1.100 ESTABLISHED 70.31.152.69:4685
2164 TCP 12642 192.168.1.100 FIN WAIT-1 70.231.164.158:1748
2164 TCP 12642 192.168.1.100 ESTABLISHED 70.244.245.131:4280
2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.228.89:61081
2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.231.205:4342
2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.231.205:4684
2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.231.205:4890
2164 TCP 12642 192.168.1.100 FIN WAIT-1 81.77.84.204:3537
2164 TCP 12642 192.168.1.100 ESTABLISHED 82.37.184.78:2728
2164 TCP 12642 192.168.1.100 ESTABLISHED 83.18.144.10:1624
2164 TCP 12642 192.168.1.100 ESTABLISHED 154.5.31.84:1994
2164 TCP 12642 192.168.1.100 SYN RECEIVED 219.79.204.244:4597
2164 UDP 12642 0.0.0.0 *:*
======================================================
As you can see I'm connected to a large number of hosts for the file that I'm downloading through Bit Torrent... but if I saw a weird IP showing up that I didn't know, I could simply check this list and see if it was someone that was connecting because of my current torrent downloads. The process is identified as is the process id and then all the connections and their current states.
Let's look at what this will do for us with services as well. We'll use one of the running copies of svchost and look at how it helps us break it down.
Code:
Process ID: 1076 (svchost.exe)
Service Name: DcomLaunch
Display Name: DCOM Server Process Launcher
Service Type: shares a process with other services
Service Name: TermService
Display Name: Terminal Services
Service Type: shares a process with other services
PID Port Local IP State Remote IP:Port
1076 TCP 3389 0.0.0.0 LISTENING 0.0.0.0:2144
As you can see we get the Name and Type of each service... so we can see which services are running themselves inside svchost. TermService also opens up a port (3389), we also see that it is listening... all in one nice neat chart.
Now let's go on to malware detection. I'm going to use netcat in this case to open the ports for testing purposes... but I think you already know where this is going. You can view the logfile with my 'malware' running @ http://www.aoaddicts.net/htregz/port...al-malware.txt
As you can easily see... an application that I was previously unaware of has opened a port on my PC and is listening for connections.
Code:
======================================================
Process ID: 2980 (nc.exe)
Process doesn't appear to be a service
PID Port Local IP State Remote IP:Port
2980 TCP 666 0.0.0.0 LISTENING 0.0.0.0:2080
======================================================
This is one of the best features of PortQry in my opinion... This could be handy if installed on each machine on a domain in conjunction with pstools (or in a script) to check the current port activity on end-user machines.
Let's take a look now at the last real feature of PortQry before we move on to some of the things that we can do with it.
Monitoring a Port/Service
We can monitor local ports (or services attached to those ports) quite simply using portqry.
Code:
D:\Program Files\Support Tools>portqry -wport 25 -wt 2
PortQry Version 2.0
Watching port: 25
Checking for changes every 2 seconds
**press escape to stop watching port
============
System Date: Sun Jan 08 02:46:07 2006
PID Port Local IP State Remote IP:Port
3060 TCP 25 0.0.0.0 LISTENING 0.0.0.0:38958
Port Statistics
TCP mappings: 1
UDP mappings: 0
TCP ports in a LISTENING state: 1 = 100.00%
============
System Date: Sun Jan 08 02:46:14 2006
============
System Date: Sun Jan 08 02:46:14 2006
Specified port currently does not have any port mappings
TCP mappings: 0
UDP mappings: 0
PID Port Local IP State Remote IP:Port
Port Statistics
TCP mappings: 0
UDP mappings: 0
What I did was tell portqry to monitor port 25 on my system and keep an eye on it's status (checking every 2 seconds). When I started the process, port 25 was closed.. I then proceeded to open netcat listening on port 25. The first group of italics was created as soon as it saw that the port was now listening. The second group of italics shows that the port was closed (I killed netcat) and that there's now nothing listening. In essence that's all there is to port monitoring...
There's not a lot here... just an introduction for those of you that haven't used it before.... I've got a few uses for this that I'm going to use to kill some time at work... I'm going to create a VBS Script to monitor the services on a machine and email me when they go down (perhaps SMS)... I'm also going to create a python script to parse the log files and leave only open ports... Perhaps I'll do it with VBS as well.... If I can get -q to work, I'll also create some scripts on that... I'm also working on one troubleshooting script that will run a little bit of everything and return all the results formatted.... I'm turn those all into an Advanced Tutorial on PortQry.... for now here's the basics..
Peace,
HT