Hey Hey,

I commented that PortQry could probably use a tutorial so I've decided to write one. I'm going to cover a few of the unique and not-so-unique features of the software. You can obtain PortQry from http://www.microsoft.com/downloads/d...displaylang=en.

Sections
- Breakdown of /? (section by section)
- Testing a Port (Troubleshooting)
- Testing a Service Set (Troubleshooting)
- Port Scanning
- Using PortQry to watch for Trojans.
- Monitoring a Service


Breakdown of /?

Code:
D:\Program Files\Support Tools>PortQry /?

PortQry version 2.0

Displays the state of TCP and UDP ports


Command line mode:  portqry -n name_to_query [-options]
Interactive mode:   portqry -i [-n name_to_query] [-options]
Local Mode:         portqry -local | -wpid pid| -wport port [-options]
As you can see you have three options with PortQry... CLI, Interactive and Local Mode. CLI allows you to call a single command and recieve the output... we'll use this while we're scripting. The Interactive Mode allows you to run a series of tests against a single node. Local mode allows you to more closely example the PC which you are running PortQry on.

Code:
Command line mode:

portqry -n name_to_query [-p protocol] [-e || -r || -o endpoint(s)] [-q]
        [-l logfile] [-sp source_port] [-sl] [-cn SNMP community name]

Command line mode options explained:
        -n [name_to_query] IP address or name of system to query
        -p [protocol] TCP or UDP or BOTH (default is TCP)
        -e [endpoint] single port to query (valid range: 1-65535)
        -r [end point range] range of ports to query (start:end)
        -o [end point order] range of ports to query in an order (x,y,z)
        -l [logfile] name of text log file to create
        -y overwrites existing text log file without prompting
        -sp [source port] initial source port to use for query
        -sl 'slow link delay' waits longer for UDP replies from remote systems
        -nr by-passes default IP address-to-name resolution
            ignored unless an IP address is specified after -n
        -cn specifies SNMP community name for query
            ignored unless querying an SNMP port
            must be delimited with !
        -q 'quiet' operation runs with no output
           returns 0 if port is listening
           returns 1 if port is not listening
           returns 2 if port is listening or filtered

Notes:  PortQry runs on Windows 2000 and later systems
        Defaults: TCP, port 80, no log file, slow link delay off
        Hit Ctrl-c to terminate prematurely

examples:
portqry -n myserver.com -e 25
portqry -n 10.0.0.1 -e 53 -p UDP -i
portqry -n host1.dev.reskit.com -r 21:445
portqry -n 10.0.0.1 -o 25,445,1024 -p both -sp 53
portqry -n host2 -cn !my community name! -e 161 -p udp
Not a lot to explain here... you could really look this over yourself by running the command, but this way I ensure that you've read it over first... I would say note the -q option, however I've had varied success with it... otherwise it would be the ultimate scripting tool.

Code:
Interactive Mode:

Used as an alternative to command line mode

portqry -i [-options]

For help with Interactive mode options:
        - run portqry.exe
        - then type 'help' <enter>

example:
portqry -i -n server1 -e 135 -p both
Interactive mode allows for the same functionality as CLI mode, however it drops you into a PortQry prompt to execute the commands.


Code:
Local Mode:

Local Mode used to get detailed data on local system's ports

portqry -local | -wpid pid | -wport port [-wt seconds] [-l logfile] [-v]

Local mode options explained:
        -local enumerates local port usage, port to process mapping,
               service port usage, and lists loaded modules

        -wport [port_number] watches specified port
               reports when port's connection status changes

        -wpid [process_ID] watches specified process ID (PID)
              reports when PID's connection status changes

        -wt [seconds] watch time option
            specifies how often to check for status changes
            valid range: 1 - 1200 seconds
            default value is 60 seconds

        -l [logfile] name of text log file to create
        -v requests verbose output

Notes:  PortQry runs on Windows 2000 and later systems
        For best results run in context of local administrator
        Port to process mapping may not be available on all systems
        Hit Ctrl-c to terminate prematurely

examples:
portqry -local
portqry -local -l logfile.txt -v
portqry -wpid 1272 -wt 5 -l logfile.txt -y -v
portqry -wport 53 -l dnslog.txt
Local mode is very nice... especially on it's own.. it'll tell you the mapping of processes to listening/established connections. Think of this as a mixed netstat/fport with a bit more details. The monitoring service is also provided here which is a nice function.


Now.... on with the tutorial.

Testing a Port

Testing a port is very simple, but we might as we cover the basics rather than jump into advanced stuff and leave people floating behind. This will be done using the CLI.... here's an example of how you do it.

Code:
D:\Program Files\Support Tools>portqry -n 192.168.1.99 -e 25

Querying target system called:

 192.168.1.99

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 25 (smtp service): LISTENING

Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 07:52:57 +0000
As you can see this is a fairly basic example, it's actually included in the help, however now you can see the output. It resolves the address (which fails in this case...we could bypass this by simply giving the no resolve option (-nr) ). We are told the service is smtp, that it's listening and the banner is returned. Nothing overly intense, just a very simple test of a port to see if a service is running or not. We'll demonstrate a complete port scan (or partial port scan) in the upcoming sections. However, first I'd like to show you something special that you can do while you are in Interactive mode.

Testing a Service Set

Something that you can do is test a complete service set. Perhaps you want to test the functionality of a mail server... You don't want to run the above command three times, you could use a port scan... but PortQry allows for you to perform certain service checks (as long as they're using the standard port numbers) while in Interactive mode.

Let's take a quick look at interactive mode to understand what we can and can't do.
Code:
D:\Program Files\Support Tools>portqry -i -n 192.168.1.99 -nr

PortQry Interactive Mode

Type 'help' for a list of commands

Default Node: 192.168.1.99

Current option values:
   end port=    80
   protocol=    TCP
   source port= 0 (ephemeral)
   Reverse name lookup disabled
>
This command has put us into interactive mode and specified the default node (For those interested this is a Debian host running through Cooperative Linux. The host is Windows XP SP2 @ 192.168.1.100).

Let's run the help command to see fully what our options are.

Code:
> help

Valid Commands:
===============

help or ?       - display info on common commands
phelp or ?p     - display list of frequently used ports

node NAME       - set default node to query, NAME or IP address

query or q      - send query to default node

set OPTION=value

Options:
    all         - display current option values

    port=n      - set port number to query
                - set port= or set e=

    sport=n     - set source port number, 0=ephemeral
                - set sport= or set sp=

    protocol=p  - set protocol used for query, TCP, UDP, or BOTH
                - set protocol= or set p=

    cn=string   - set SNMP community name
                - default is set to public

    nr          - toggles reverse name lookups
                - enables/disables resolving node IP address to name

    sl          - toggles slow link delay for UDP queries
                - doubles timeout period waiting for UDP responses

query shortcut  - sends queries associated with shortcut

Shortcuts:
DNS           - queries TCP & UDP port 53
FTP           - queries TCP port 21
IMAP          - queries TCP port 143
IPSEC         - queries UDP port 500
ISA           - queries TCP & UDP port 1745
LDAP          - queries TCP & UDP port 389
L2TP          - queries UDP port 1701
MAIL          - queries TCP ports 25,110,143
POP3          - queries TCP port 110
RPC           - queries TCP & UDP port 135
SMTP          - queries TCP port 25
SNMP          - queries UDP port 161
SQL           - queries TCP port 1433 & UDP port 1434
TFTP          - queries UDP port 69

example: q mail
As you can see there are shortcuts that will send preconfigured queries based on the ports used by different services. We'll use their example and take a look at the output of running the q mail command.

Code:
> q mail

resolving service name using local services file...
TCP port resolved to the 'smtp' service

TCP port 25 (smtp service): LISTENING

Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:04:05 +0000


>

resolving service name using local services file...
TCP port resolved to the 'pop3' service

TCP port 110 (pop3 service): NOT LISTENING

>

resolving service name using local services file...
TCP port resolved to the 'imap' service

TCP port 143 (imap service): NOT LISTENING

>
As you can see each of the ports displays either a listening or not listening state, the service name and the banner (if the port is listening). Let's take a quick look at the output from ippl (let's us see basic connection attempts to our debian node)..

Code:
colinux:~# ippl -n
Jan  8 08:05:01 IP Protocols Logger: started.
Jan  8 08:05:07 smtp connection attempt from 192.168.1.100
Jan  8 08:05:07 pop3 connection attempt from 192.168.1.100
Jan  8 08:05:08 last message repeated 2 time(s)
Jan  8 08:05:08 imap2 connection attempt from 192.168.1.100
Jan  8 08:05:09 last message repeated 2 time(s)
Note the lines in italics... to ensure that it wasn't just a lost packet that lead to the assumption that the port is not listening, PortQry will send three queries to the port..

I have followed the tcp stream in ethereal (a screenshot is available @ http://www.aoaddicts.net/htregz/portqry/ethereal1.jpg) and the software simply sends an SYN packet to the port in question, if there's no reponse received then the packet is sent two more times, if a response is received, then the software will return a RST, ACK.

These are the bare bones of the software functionality... this was more to let you see the output and give you a bit of an understanding of what is happening underneath the software. Now we'll take a look at running a portscan from the software. Again a basic, but we'll call it level 2 for the hell of it.

Port Scanning

We'll run the port scans from the CLI and again this is a fairly simple process.

I'll truncate this because the output is rather large, however the full log file of the scan can be seen @ http://www.aoaddicts.net/htregz/portqry/portscan.txt.

Code:
D:\Program Files\Support Tools>portqry -r 1:1024 -n 192.168.1.99 -nr -l portscan.txt

Creating log file called portscan.txt

Querying target system called:

 192.168.1.99

TCP port 1 (unknown service): NOT LISTENING

TCP port 2 (unknown service): NOT LISTENING

TCP port 3 (unknown service): NOT LISTENING

TCP port 4 (unknown service): NOT LISTENING

TCP port 5 (unknown service): NOT LISTENING

TCP port 6 (unknown service): NOT LISTENING

TCP port 7 (echo service): NOT LISTENING

TCP port 8 (unknown service): NOT LISTENING

TCP port 9 (discard service): LISTENING

TCP port 10 (unknown service): NOT LISTENING

TCP port 11 (systat service): NOT LISTENING

TCP port 12 (unknown service): NOT LISTENING

TCP port 13 (daytime service): LISTENING
As you can see we told the software to scan our debian node, ports 1 - 1024 and to not resolve the IP, we're also dumping a log file. I could have specified if I wanted TCP, UDP or BOTH using the -p option, or I could have specified a source port (-sp), however I didn't feel the need to use either of those to make an example of the port scan options. You can see that ports are identified as listening or not listening and when possible the service is named (echo, discard, systate, daytime).

In this following section, you can see that you will also obtain the banners when available

Code:
TCP port 24 (unknown service): NOT LISTENING

TCP port 25 (smtp service): LISTENING

Data returned from port:
220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:16:28 +0000


TCP port 26 (unknown service): NOT LISTENING

TCP port 27 (unknown service): NOT LISTENING
That's basically all there is to a port scan.... Nothing advanced so far, just basic functionality of the software... consider this a walk-through... Now let's see how we can use PortQry to check for Trojans, RATs, or any PhoneHome software that may be on our system.

Using PortQry to watch for Trojans.

In order to demonstrate this we'll use PortQry in local mode. A complete log of the program being executed on my PC can be found @ http://www.aoaddicts.net/htregz/portqry/local.txt. This can be useful to track down exactly which application has an established connection. Let's take a look at some of the output in the file and then examine how this can help us trackdown any nasty malware that's opening/using our ports.

Let's look at how it helps me breakdown IP communication to my PC

First I'm giving a completely statistical breakdown of protocols and states

Code:
Port Statistics

TCP mappings: 96
UDP mappings: 20

TCP ports in a LISTENING state: 	11 = 11.46%
TCP ports in a SYN SENT state: 		1 = 1.04%
TCP ports in a SYN RECEIVED state: 	1 = 1.04%
TCP ports in a ESTABLISHED state: 	57 = 59.38%
TCP ports in a FIN WAIT-1 state: 	5 = 5.21%
TCP ports in a CLOSE WAIT state: 	4 = 4.17%
TCP ports in a TIME WAIT state: 	17 = 17.71%
I'm also given detailed breakdowns by process/process ID

Code:
======================================================

Process ID: 2164 (BitComet.exe)

Process doesn't appear to be a service

PID	Port		Local IP	State		 Remote IP:Port
2164	TCP 12642  	0.0.0.0 	LISTENING	 0.0.0.0:4155
2164	TCP 1887  	192.168.1.100 	ESTABLISHED	 70.24.22.110:7795
2164	TCP 2076  	192.168.1.100 	ESTABLISHED	 172.202.108.108:14218
2164	TCP 2124  	192.168.1.100 	ESTABLISHED	 84.48.36.33:6881
2164	TCP 2140  	192.168.1.100 	ESTABLISHED	 65.95.239.178:6881
2164	TCP 2210  	192.168.1.100 	ESTABLISHED	 70.48.118.234:32459
2164	TCP 2287  	192.168.1.100 	ESTABLISHED	 24.0.213.39:20002
2164	TCP 2298  	192.168.1.100 	ESTABLISHED	 24.36.208.215:6881
2164	TCP 2305  	192.168.1.100 	ESTABLISHED	 24.74.134.230:28100
2164	TCP 2306  	192.168.1.100 	ESTABLISHED	 12.217.47.125:6882
2164	TCP 2309  	192.168.1.100 	ESTABLISHED	 64.81.136.203:43212
2164	TCP 2310  	192.168.1.100 	ESTABLISHED	 82.24.44.72:6881
2164	TCP 2311  	192.168.1.100 	ESTABLISHED	 24.70.130.26:49200
2164	TCP 2319  	192.168.1.100 	ESTABLISHED	 71.195.85.249:6881
2164	TCP 2322  	192.168.1.100 	ESTABLISHED	 24.5.230.153:21345
2164	TCP 2323  	192.168.1.100 	ESTABLISHED	 24.87.73.13:6881
2164	TCP 2325  	192.168.1.100 	ESTABLISHED	 24.37.43.204:6881
2164	TCP 2326  	192.168.1.100 	ESTABLISHED	 62.131.87.190:51015
2164	TCP 2327  	192.168.1.100 	ESTABLISHED	 68.107.65.68:16151
2164	TCP 2331  	192.168.1.100 	ESTABLISHED	 24.0.238.181:6881
2164	TCP 2333  	192.168.1.100 	ESTABLISHED	 64.231.136.17:32250
2164	TCP 2338  	192.168.1.100 	ESTABLISHED	 145.94.79.173:6346
2164	TCP 2339  	192.168.1.100 	ESTABLISHED	 24.68.15.196:6881
2164	TCP 2343  	192.168.1.100 	ESTABLISHED	 84.48.83.59:49152
2164	TCP 2346  	192.168.1.100 	ESTABLISHED	 24.76.66.18:6881
2164	TCP 2347  	192.168.1.100 	ESTABLISHED	 81.79.130.230:10810
2164	TCP 2355  	192.168.1.100 	ESTABLISHED	 24.180.216.170:65500
2164	TCP 2412  	192.168.1.100 	ESTABLISHED	 142.166.201.31:22628
2164	TCP 2439  	192.168.1.100 	ESTABLISHED	 12.210.9.136:6881
2164	TCP 2608  	192.168.1.100 	ESTABLISHED	 59.167.61.87:6881
2164	TCP 2609  	192.168.1.100 	FIN WAIT-1	 82.39.210.171:6881
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 12.208.111.144:2387
2164	TCP 12642  	192.168.1.100 	FIN WAIT-1	 12.216.165.127:4269
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 12.221.46.141:3428
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 24.43.107.37:1816
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 24.43.107.37:1962
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 24.84.208.190:4291
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 24.87.12.178:4480
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 24.171.1.44:32937
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 65.43.221.86:4183
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 69.193.226.114:4894
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 69.194.43.235:61264
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 70.27.71.95:4062
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 70.29.248.247:3846
2164	TCP 12642  	192.168.1.100 	FIN WAIT-1	 70.30.118.53:3451
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 70.31.152.69:4685
2164	TCP 12642  	192.168.1.100 	FIN WAIT-1	 70.231.164.158:1748
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 70.244.245.131:4280
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 72.38.228.89:61081
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 72.38.231.205:4342
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 72.38.231.205:4684
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 72.38.231.205:4890
2164	TCP 12642  	192.168.1.100 	FIN WAIT-1	 81.77.84.204:3537
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 82.37.184.78:2728
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 83.18.144.10:1624
2164	TCP 12642  	192.168.1.100 	ESTABLISHED	 154.5.31.84:1994
2164	TCP 12642  	192.168.1.100 	SYN RECEIVED	 219.79.204.244:4597
2164	UDP 12642  	0.0.0.0 			 *:*

======================================================
As you can see I'm connected to a large number of hosts for the file that I'm downloading through Bit Torrent... but if I saw a weird IP showing up that I didn't know, I could simply check this list and see if it was someone that was connecting because of my current torrent downloads. The process is identified as is the process id and then all the connections and their current states.

Let's look at what this will do for us with services as well. We'll use one of the running copies of svchost and look at how it helps us break it down.

Code:
Process ID: 1076 (svchost.exe)

Service Name: DcomLaunch
Display Name: DCOM Server Process Launcher
Service Type: shares a process with other services

Service Name: TermService
Display Name: Terminal Services
Service Type: shares a process with other services

PID	Port		Local IP	State		 Remote IP:Port
1076	TCP 3389  	0.0.0.0 	LISTENING	 0.0.0.0:2144
As you can see we get the Name and Type of each service... so we can see which services are running themselves inside svchost. TermService also opens up a port (3389), we also see that it is listening... all in one nice neat chart.


Now let's go on to malware detection. I'm going to use netcat in this case to open the ports for testing purposes... but I think you already know where this is going. You can view the logfile with my 'malware' running @ http://www.aoaddicts.net/htregz/port...al-malware.txt

As you can easily see... an application that I was previously unaware of has opened a port on my PC and is listening for connections.

Code:
======================================================

Process ID: 2980 (nc.exe)

Process doesn't appear to be a service

PID     Port            Local IP        State            Remote IP:Port
2980    TCP 666         0.0.0.0         LISTENING        0.0.0.0:2080

======================================================
This is one of the best features of PortQry in my opinion... This could be handy if installed on each machine on a domain in conjunction with pstools (or in a script) to check the current port activity on end-user machines.

Let's take a look now at the last real feature of PortQry before we move on to some of the things that we can do with it.

Monitoring a Port/Service

We can monitor local ports (or services attached to those ports) quite simply using portqry.

Code:
D:\Program Files\Support Tools>portqry -wport 25 -wt 2

PortQry Version 2.0
Watching port: 25

Checking for changes every 2 seconds

**press escape to stop watching port

============
System Date: Sun Jan 08 02:46:07 2006


PID     Port            Local IP        State            Remote IP:Port
3060    TCP 25          0.0.0.0         LISTENING        0.0.0.0:38958

Port Statistics

TCP mappings: 1
UDP mappings: 0

TCP ports in a LISTENING state:         1 = 100.00%


============
System Date: Sun Jan 08 02:46:14 2006


============
System Date: Sun Jan 08 02:46:14 2006


Specified port currently does not have any port mappings

TCP mappings: 0
UDP mappings: 0

PID     Port            Local IP        State            Remote IP:Port

Port Statistics

TCP mappings: 0
UDP mappings: 0
What I did was tell portqry to monitor port 25 on my system and keep an eye on it's status (checking every 2 seconds). When I started the process, port 25 was closed.. I then proceeded to open netcat listening on port 25. The first group of italics was created as soon as it saw that the port was now listening. The second group of italics shows that the port was closed (I killed netcat) and that there's now nothing listening. In essence that's all there is to port monitoring...

There's not a lot here... just an introduction for those of you that haven't used it before.... I've got a few uses for this that I'm going to use to kill some time at work... I'm going to create a VBS Script to monitor the services on a machine and email me when they go down (perhaps SMS)... I'm also going to create a python script to parse the log files and leave only open ports... Perhaps I'll do it with VBS as well.... If I can get -q to work, I'll also create some scripts on that... I'm also working on one troubleshooting script that will run a little bit of everything and return all the results formatted.... I'm turn those all into an Advanced Tutorial on PortQry.... for now here's the basics..

Peace,
HT