Netstat and open ports
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Netstat and open ports

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    Netstat and open ports

    Hi everyone

    I have XP Pro SP2 which is fully updated, connected to ADSL via a router. I read an old thread (about 18 months old) on another forum about person X doing a port scan, finding ports 139 and 445 open and then getting into the remote computer to see what was there. He said that there wasn't anything "interesting" and it hadn't been worth the effort. I'm not asking about how he managed to get into the other PC (I know that I'd get some terse comments!) but I'd like to know about checking open ports and closing them. I ran netstat -a and received the following output:

    Active Connections

    Proto Local Address Foreign Address State
    TCP ComputerName:echo ComputerName:0 LISTENING
    TCP ComputerName:discard ComputerName:0 LISTENING
    TCP ComputerName:daytime ComputerName:0 LISTENING
    TCP ComputerName:qotd ComputerName:0 LISTENING
    TCP ComputerName:chargen ComputerName:0 LISTENING
    TCP ComputerName:epmap ComputerName:0 LISTENING
    TCP ComputerName:microsoft-ds ComputerName:0 LISTENING
    TCP ComputerName:1045 ComputerName:0 LISTENING
    TCP ComputerName:1899 localhost:1898 TIME_WAIT
    TCP ComputerName:netbios-ssn ComputerName:0 LISTENING
    TCP ComputerName:echo ComputerName:0 LISTENING 0
    TCP ComputerName:discard ComputerName:0 LISTENING 0
    TCP ComputerName:daytime ComputerName:0 LISTENING 0
    TCP ComputerName:qotd ComputerName:0 LISTENING 0
    TCP ComputerName:chargen ComputerName:0 LISTENING 0
    TCP ComputerName:epmap ComputerName:0 LISTENING 0
    UDP ComputerName:echo *:*
    UDP ComputerName:discard *:*
    UDP ComputerName:daytime *:*
    UDP ComputerName:qotd *:*
    UDP ComputerName:chargen *:*
    UDP ComputerName:snmp *:*
    UDP ComputerName:microsoft-ds *:*
    UDP ComputerName:isakmp *:*
    UDP ComputerName:1025 *:*
    UDP ComputerName:1052 *:*
    UDP ComputerName:1062 *:*
    UDP ComputerName:1234 *:*
    UDP ComputerName:1604 *:*
    UDP ComputerName:3544 *:*
    UDP ComputerName:4500 *:*
    UDP ComputerName:ntp *:*
    UDP ComputerName:1090 *:*
    UDP ComputerName:1900 *:*
    UDP ComputerName:ntp *:*
    UDP ComputerName:netbios-ns *:*
    UDP ComputerName:netbios-dgm *:*
    UDP ComputerName:router *:*
    UDP ComputerName:1601 *:*
    UDP ComputerName:1900 *:*
    UDP ComputerName:47393 *:*
    UDP ComputerName:echo *:*
    UDP ComputerName:discard *:*
    UDP ComputerName:daytime *:*
    UDP ComputerName:qotd *:*
    UDP ComputerName:chargen *:*

    whilst netstat -a -n gave me this:

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:7 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:9 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:13 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:17 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:19 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1045 0.0.0.0:0 LISTENING
    TCP 192.168.0.2:139 0.0.0.0:0 LISTENING
    TCP [::]:7 [::]:0 LISTENING 0
    TCP [::]:9 [::]:0 LISTENING 0
    TCP [::]:13 [::]:0 LISTENING 0
    TCP [::]:17 [::]:0 LISTENING 0
    TCP [::]:19 [::]:0 LISTENING 0
    TCP [::]:135 [::]:0 LISTENING 0
    UDP 0.0.0.0:7 *:*
    UDP 0.0.0.0:9 *:*
    UDP 0.0.0.0:13 *:*
    UDP 0.0.0.0:17 *:*
    UDP 0.0.0.0:19 *:*
    UDP 0.0.0.0:161 *:*
    UDP 0.0.0.0:445 *:*
    UDP 0.0.0.0:500 *:*
    UDP 0.0.0.0:1025 *:*
    UDP 0.0.0.0:1052 *:*
    UDP 0.0.0.0:1062 *:*
    UDP 0.0.0.0:1234 *:*
    UDP 0.0.0.0:1604 *:*
    UDP 0.0.0.0:3544 *:*
    UDP 0.0.0.0:4500 *:*
    UDP 127.0.0.1:123 *:*
    UDP 127.0.0.1:1090 *:*
    UDP 127.0.0.1:1900 *:*
    UDP 192.168.0.2:123 *:*
    UDP 192.168.0.2:137 *:*
    UDP 192.168.0.2:138 *:*
    UDP 192.168.0.2:520 *:*
    UDP 192.168.0.2:1601 *:*
    UDP 192.168.0.2:1900 *:*
    UDP 192.168.0.2:46085 *:*
    UDP [::]:7 *:*
    UDP [::]:9 *:*
    UDP [::]:13 *:*
    UDP [::]:17 *:*
    UDP [::]:19 *:*

    I have a few questions:

    firstly, my port 445 seems to be open so do I need to worry or do anything about it?

    second, I had Outlook open when I ran the netstat commands. As far as I know, it uses SMTP and POP3 so why aren't ports 25 and 110 mentioned as being open or "listening"; and

    finally, what exactly do the entries such as "ComputerName:discard" and "ComputerName:chargen" mean in the first listing? They "map" directly to 0.0.0.0:9 and 0.0.0.0:19 in the second.

    Sorry that this has been such a long post and the nicely tabbed netstat output hasn't been retained. I looked for tags to enclose the netstat outputs but couldn't find any.

    Thanks for your time (and patience!).

  2. #2
    Junior Member
    Join Date
    Apr 2007
    Posts
    1
    Assuming you don't have ports 445,139 forwarded on your router they shouldn't be accessible remotely.

    As for Outlook it would use SMTP and POP3 when sending/receiving mail, maybe it was not sending/receiving at the time you ran the netstat command.

    After some quick googling it seems the chargen and discard entries are protocols intended for testing purposes. Anything sent to the port is thrown away using the discard protocol. The chargen protocol generates random characters and sends them back to the host connecting to the port. I assume its just a way to test if a computer is up/down or can send/receive data?

    Hope this helps.



    Oh and first post!!
    Last edited by gambL; April 9th, 2007 at 04:20 PM.

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    The best principle to use is if you aren't using it, turn it off. The only time you need something listening is if a service is operating as a service that should be accessible over the network. If you see 0.0.0.0 as the address, that is shorthand for the daemon is listening to every NIC/IP address on your system, which is only relevant on systems with multiple IPs...most service configurations will allow you to bind to a specific IP if you so chose...127.0.0.1 is the IP address of the loopback interface, which is shorthand for referencing yourself...it is only reachable by your computer and isn't as large of a risk.

    Just a couple of generic pointers:

    1) Since you are using XP SP2, use netstat -nab. Much more useful b/c it shows you WHAT program has the port open (and the port and state of the port)...rather than having to guess what program has it open...

    2) These are garbage and should never be needed in a normal environment...disable/turn them off:
    TCP ComputerName:echo ComputerName:0 LISTENING
    TCP ComputerName:discard ComputerName:0 LISTENING
    TCP ComputerName:daytime ComputerName:0 LISTENING
    TCP ComputerName:qotd ComputerName:0 LISTENING
    TCP ComputerName:chargen ComputerName:0 LISTENING
    TCP ComputerName:echo ComputerName:0 LISTENING 0
    TCP ComputerName:discard ComputerName:0 LISTENING 0
    TCP ComputerName:daytime ComputerName:0 LISTENING 0
    TCP ComputerName:qotd ComputerName:0 LISTENING 0
    TCP ComputerName:chargen ComputerName:0 LISTENING 0
    UDP ComputerName:echo *:*
    UDP ComputerName:discard *:*
    UDP ComputerName:daytime *:*
    UDP ComputerName:qotd *:*
    UDP ComputerName:chargen *:*
    UDP ComputerName:echo *:*
    UDP ComputerName:discard *:*
    UDP ComputerName:daytime *:*
    UDP ComputerName:qotd *:*
    UDP ComputerName:chargen *:*
    3) These are probably not needed and shouldn't be used unless properly configured/locked down (which brings up another question...is your system acting like a router for some odd reason? Think router is also known as RIP...i forget offhand)...
    UDP ComputerName:snmp *:*
    UDP ComputerName:ntp *:*
    UDP ComputerName:ntp *:*
    UDP ComputerName:router *:*
    4) As far as netbios (tcp/139 tcp/445 udp/137-138): Are you sharing a drive/printer from your system to other users on the network? If not, disable your server service. Are you using someone elses drives/printers? If not disable your workstation/computer browser services.

    5) Lastly, Blackviper has happily returned, have a look:
    http://www.blackviper.com/WinXP/servicecfg.htm

    You'll find that as you disable services running in the background, you'll see less programs listening on network connections/ports and you should also find that your system is running faster since you aren't wasting cycles/memory on programs you aren't using...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    @ gambL: Thank you - a useful first post (well, I think so!). No, I don't have any port forwarding set in the router. It's logical that neither SMTP nor POP3 was displayed so I got Outlook to Send/Receive and then ran netstat again. The list mentioned POP3 but didn't show it's port. I'll look into this further when I've disabled the "rubbish" (as below).

    @nebulus2000: Yes, I've played around with the -b switch and seen the output. I'm interested to see that there are unnecessary entries and I'm keen to disable them ... but how? I haven't (to my knowledge) set the laptop up as a router. It's the only one attached to the ADSL router so I guess that I should also disable the entries that you listed in 3)?

    I have had file and printer sharing enabled (when I had another laptop attached via a cross-over cable) so I guess that by disabling that in TCP/IP properties, it should get rid of the netbios-related entries mentioned in 4)?

    My system is running a little slowly and I was contemplating reinstalling the OS. Maybe these recommended tweaks will prevent my having to do that (not something I do without good reason!).

    I remember looking for Blackviper a while ago - I'll check it out.

    Thanks again for the input.

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    I've been thinking - as I was connected to the internet whilst I ran Netstat to get the outputs which I gave, why isn't there reference to either port 80 or 8080? Does it relate somehow to the fact that I'm behind an ADSL router? I haven't changed any of the router firewall settings. If this is the case, how can I check what ports I have open to the "outside world"? I'm so confused now!

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Assuming you don't have ports 445,139 forwarded on your router they shouldn't be accessible remotely.
    Most routers/switches do forward this traffic, hence, worm propigation...

    As far as netbios (tcp/139 tcp/445 udp/137-138): Are you sharing a drive/printer from your system to other users on the network? If not, disable your server service. Are you using someone elses drives/printers? If not disable your workstation/computer browser services.
    Another way to disable CIFS (port 445) is to disable NetBIOS over TCP by simply clicking a checkbox in the advanced properties of TCP/IP.

    second, I had Outlook open when I ran the netstat commands. As far as I know, it uses SMTP and POP3 so why aren't ports 25 and 110 mentioned as being open or "listening"
    It doesn't matter if the outlook client is open. It matters what the connection state is when you perform netstat. Unless you executed netstat during the time wait period of the mail send/receive, you're not going to see the ports in use. POP3 and SMTP are not running as a service on your host, hence, you're not going to see them in your output all the time. For a better look at what's happening, download a tool called TCPview (google it) and you can watch your system in (almost) realtime rather than snapshotting it with netstat. Or simply click send/receive in outlook then immediately do a netstat. You'll see port 110 in time wait.

    finally, what exactly do the entries such as "ComputerName:discard" and "ComputerName:chargen" mean in the first listing? They "map" directly to 0.0.0.0:9 and 0.0.0.0:19 in the second
    Chargen and discard are legacy services that have virtually no use anymore. Old skoolers like myself remember them fondly from the "80s". Trace route and ping (via ICMP) have long since replaced Chargen and discard. These two protocols were the network testing tools back in the day.

    Turn them off. They can only lead to trouble.

    These are probably not needed and shouldn't be used unless properly configured/locked down (which brings up another question...is your system acting like a router for some odd reason? Think router is also known as RIP...i forget offhand)...
    Seems he has every service under the sun running on this host. The cause of seeing "router" is that he has the Routing and Remote Access Service turned on. A dead give away is that I saw SNMP running also. So, yes, he has IP forwarding turned on.

    If you see 0.0.0.0 as the address, that is shorthand for the daemon is listening to every NIC/IP address on your system
    Technically, this is incorrect. Yes, I'm nit picky. The proper terminology here is "any". Simply put, when you see 0.0.0.0 it means "any" not, "every". It's a matter of sounding like a computer professional or a hobbyist. Use the term any instead.


    --TH13
    Last edited by thehorse13; April 10th, 2007 at 12:18 PM.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Chargen and discard are legacy services that have virtually no use anymore. Old skoolers like myself remember them fondly from the "80s". Trace route and ping (via ICMP) have long since replaced Chargen and discard.
    This is interesting, I have NEVER seen them on windows machine and I have a large network to monitor. What turns this on typically, IP forwarding, some opern source code ported from Linux? Or more likely a skiddie toolkit.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  8. #8
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Quote Originally Posted by thehorse13
    Most routers/switches do forward this traffic, hence, worm propigation...

    Another way to disable CIFS (port 445) is to disable NetBIOS over TCP by simply clicking a checkbox in the advanced properties of TCP/IP.
    I have NetBIOS over TCP/IP disabled - I was told by someone previously that I should do this. Do you have any other ideas about disabling port 445?

    ... For a better look at what's happening, download a tool called TCPview (google it) and you can watch your system in (almost) realtime rather than snapshotting it with netstat. Or simply click send/receive in outlook then immediately do a netstat. You'll see port 110 in time wait.
    I'm fairly sure that I have Sysinternals TCPview in my "tools library" somewhere but haven't used it. I'll have a look into it.

    Chargen and discard are legacy services that have virtually no use anymore. Old skoolers like myself remember them fondly from the "80s". Trace route and ping (via ICMP) have long since replaced Chargen and discard. These two protocols were the network testing tools back in the day.

    Turn them off. They can only lead to trouble.
    How do I turn them off?

    I looked into the other "odd" ports (echo, daytime etc.) and it suggested that daytime is part of the NTP. Am I correct in thinking that this relates to the regular clock update that my laptop does to make sure that the time displayed is correct? If so, I'd better leave that one there!

    ... The cause of seeing "router" is that he has the Routing and Remote Access Service turned on. A dead give away is that I saw SNMP running also. So, yes, he has IP forwarding turned on.
    I'm lost now so I'd better do some googling! I suspect that I need to go into the Services application and disable the Routing and Remote Access Service?

    Many thanks for the detailed response. Who knows, I might just get my head around this!

  9. #9
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    769
    I have NetBIOS over TCP/IP disabled - I was told by someone previously that I should do this. Do you have any other ideas about disabling port 445?
    Me personally, I just did the following below on my box xp with sp2 works perfect.

    How to disable port 445?
    You can easily disable port 445 on your computer. To do so follow these instructions:
    Start Registry Editor (Regedit.exe).
    Locate the following key in the registry:
    HKLM\System\CurrentControlSet\
    Services\NetBT\Parameters
    In the right-hand side of the window find an option called TransportBindName.
    Double click that value, and then delete the default value, thus giving it a blank value.
    Close the registry editor.
    Reboot your computer.
    After rebooting open a command prompt and in it type
    netstat -an
    See that your computer no longer listens to port 445.

    PS full artice can be found here.
    http://www.petri.co.il/what's_port_4...2k_xp_2003.htm

  10. #10
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    @Computernerd22: that's a coincidence! I just did some googling, came across the same article and did just that. I agree that it works like a charm. I came back here to post (for others' benefit) but you beat me to it (Grr!).

    One other thing is about port 135. I came across a complicated article which mentioned disabling RPC. Mine is set to start automatically. I don't think that I need it on a single laptop behind an ADSL router. What I could understand mentioned that it would be needed in a large (client/server) network. The article also mentioned disabling things like Windows Time, SSDP Discovery Services, Remote Desktop Help Servives Manager, Com+ Event System, Com+ System Application, System Event Notification (do I really want to do that?) and Task Scheduler (do I really want to do that either?). I've never heard of most of these so I'm relatively happy to disable them but there are some which I think I ought to keep. Any comments?

Similar Threads

  1. NMAP Scanning and PortSentry Evasion
    By Striek in forum The Security Tutorials Forum
    Replies: 10
    Last Post: January 17th, 2006, 03:07 AM
  2. Suggestions on a Tutorial Draft
    By Irongeek in forum AntiOnline's General Chit Chat
    Replies: 7
    Last Post: August 9th, 2004, 10:48 PM
  3. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 07:02 AM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM
  5. Chapter 3 - Newbie Questions Answered
    By uraloony in forum The Security Tutorials Forum
    Replies: 0
    Last Post: December 14th, 2001, 02:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides