Hey Hey,
I commented that PortQry could probably use a tutorial so I've decided to write one. I'm going to cover a few of the unique and not-so-unique features of the software. You can obtain PortQry from http://www.microsoft.com/downloads/d...displaylang=en.
Sections
- Breakdown of /? (section by section)
- Testing a Port (Troubleshooting)
- Testing a Service Set (Troubleshooting)
- Port Scanning
- Using PortQry to watch for Trojans.
- Monitoring a Service
Breakdown of /?
As you can see you have three options with PortQry... CLI, Interactive and Local Mode. CLI allows you to call a single command and recieve the output... we'll use this while we're scripting. The Interactive Mode allows you to run a series of tests against a single node. Local mode allows you to more closely example the PC which you are running PortQry on.Code:D:\Program Files\Support Tools>PortQry /? PortQry version 2.0 Displays the state of TCP and UDP ports Command line mode: portqry -n name_to_query [-options] Interactive mode: portqry -i [-n name_to_query] [-options] Local Mode: portqry -local | -wpid pid| -wport port [-options]
Not a lot to explain here... you could really look this over yourself by running the command, but this way I ensure that you've read it over first... I would say note the -q option, however I've had varied success with it... otherwise it would be the ultimate scripting tool.Code:Command line mode: portqry -n name_to_query [-p protocol] [-e || -r || -o endpoint(s)] [-q] [-l logfile] [-sp source_port] [-sl] [-cn SNMP community name] Command line mode options explained: -n [name_to_query] IP address or name of system to query -p [protocol] TCP or UDP or BOTH (default is TCP) -e [endpoint] single port to query (valid range: 1-65535) -r [end point range] range of ports to query (start:end) -o [end point order] range of ports to query in an order (x,y,z) -l [logfile] name of text log file to create -y overwrites existing text log file without prompting -sp [source port] initial source port to use for query -sl 'slow link delay' waits longer for UDP replies from remote systems -nr by-passes default IP address-to-name resolution ignored unless an IP address is specified after -n -cn specifies SNMP community name for query ignored unless querying an SNMP port must be delimited with ! -q 'quiet' operation runs with no output returns 0 if port is listening returns 1 if port is not listening returns 2 if port is listening or filtered Notes: PortQry runs on Windows 2000 and later systems Defaults: TCP, port 80, no log file, slow link delay off Hit Ctrl-c to terminate prematurely examples: portqry -n myserver.com -e 25 portqry -n 10.0.0.1 -e 53 -p UDP -i portqry -n host1.dev.reskit.com -r 21:445 portqry -n 10.0.0.1 -o 25,445,1024 -p both -sp 53 portqry -n host2 -cn !my community name! -e 161 -p udp
Interactive mode allows for the same functionality as CLI mode, however it drops you into a PortQry prompt to execute the commands.Code:Interactive Mode: Used as an alternative to command line mode portqry -i [-options] For help with Interactive mode options: - run portqry.exe - then type 'help' <enter> example: portqry -i -n server1 -e 135 -p both
Local mode is very nice... especially on it's own.. it'll tell you the mapping of processes to listening/established connections. Think of this as a mixed netstat/fport with a bit more details. The monitoring service is also provided here which is a nice function.Code:Local Mode: Local Mode used to get detailed data on local system's ports portqry -local | -wpid pid | -wport port [-wt seconds] [-l logfile] [-v] Local mode options explained: -local enumerates local port usage, port to process mapping, service port usage, and lists loaded modules -wport [port_number] watches specified port reports when port's connection status changes -wpid [process_ID] watches specified process ID (PID) reports when PID's connection status changes -wt [seconds] watch time option specifies how often to check for status changes valid range: 1 - 1200 seconds default value is 60 seconds -l [logfile] name of text log file to create -v requests verbose output Notes: PortQry runs on Windows 2000 and later systems For best results run in context of local administrator Port to process mapping may not be available on all systems Hit Ctrl-c to terminate prematurely examples: portqry -local portqry -local -l logfile.txt -v portqry -wpid 1272 -wt 5 -l logfile.txt -y -v portqry -wport 53 -l dnslog.txt
Now.... on with the tutorial.
Testing a Port
Testing a port is very simple, but we might as we cover the basics rather than jump into advanced stuff and leave people floating behind. This will be done using the CLI.... here's an example of how you do it.
As you can see this is a fairly basic example, it's actually included in the help, however now you can see the output. It resolves the address (which fails in this case...we could bypass this by simply giving the no resolve option (-nr) ). We are told the service is smtp, that it's listening and the banner is returned. Nothing overly intense, just a very simple test of a port to see if a service is running or not. We'll demonstrate a complete port scan (or partial port scan) in the upcoming sections. However, first I'd like to show you something special that you can do while you are in Interactive mode.Code:D:\Program Files\Support Tools>portqry -n 192.168.1.99 -e 25 Querying target system called: 192.168.1.99 Attempting to resolve IP address to a name... Failed to resolve IP address to name querying... TCP port 25 (smtp service): LISTENING Data returned from port: 220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 07:52:57 +0000
Testing a Service Set
Something that you can do is test a complete service set. Perhaps you want to test the functionality of a mail server... You don't want to run the above command three times, you could use a port scan... but PortQry allows for you to perform certain service checks (as long as they're using the standard port numbers) while in Interactive mode.
Let's take a quick look at interactive mode to understand what we can and can't do.
This command has put us into interactive mode and specified the default node (For those interested this is a Debian host running through Cooperative Linux. The host is Windows XP SP2 @ 192.168.1.100).Code:D:\Program Files\Support Tools>portqry -i -n 192.168.1.99 -nr PortQry Interactive Mode Type 'help' for a list of commands Default Node: 192.168.1.99 Current option values: end port= 80 protocol= TCP source port= 0 (ephemeral) Reverse name lookup disabled >
Let's run the help command to see fully what our options are.
As you can see there are shortcuts that will send preconfigured queries based on the ports used by different services. We'll use their example and take a look at the output of running the q mail command.Code:> help Valid Commands: =============== help or ? - display info on common commands phelp or ?p - display list of frequently used ports node NAME - set default node to query, NAME or IP address query or q - send query to default node set OPTION=value Options: all - display current option values port=n - set port number to query - set port= or set e= sport=n - set source port number, 0=ephemeral - set sport= or set sp= protocol=p - set protocol used for query, TCP, UDP, or BOTH - set protocol= or set p= cn=string - set SNMP community name - default is set to public nr - toggles reverse name lookups - enables/disables resolving node IP address to name sl - toggles slow link delay for UDP queries - doubles timeout period waiting for UDP responses query shortcut - sends queries associated with shortcut Shortcuts: DNS - queries TCP & UDP port 53 FTP - queries TCP port 21 IMAP - queries TCP port 143 IPSEC - queries UDP port 500 ISA - queries TCP & UDP port 1745 LDAP - queries TCP & UDP port 389 L2TP - queries UDP port 1701 MAIL - queries TCP ports 25,110,143 POP3 - queries TCP port 110 RPC - queries TCP & UDP port 135 SMTP - queries TCP port 25 SNMP - queries UDP port 161 SQL - queries TCP port 1433 & UDP port 1434 TFTP - queries UDP port 69 example: q mail
As you can see each of the ports displays either a listening or not listening state, the service name and the banner (if the port is listening). Let's take a quick look at the output from ippl (let's us see basic connection attempts to our debian node)..Code:> q mail resolving service name using local services file... TCP port resolved to the 'smtp' service TCP port 25 (smtp service): LISTENING Data returned from port: 220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:04:05 +0000 > resolving service name using local services file... TCP port resolved to the 'pop3' service TCP port 110 (pop3 service): NOT LISTENING > resolving service name using local services file... TCP port resolved to the 'imap' service TCP port 143 (imap service): NOT LISTENING >
Note the lines in italics... to ensure that it wasn't just a lost packet that lead to the assumption that the port is not listening, PortQry will send three queries to the port..Code:colinux:~# ippl -n Jan 8 08:05:01 IP Protocols Logger: started. Jan 8 08:05:07 smtp connection attempt from 192.168.1.100 Jan 8 08:05:07 pop3 connection attempt from 192.168.1.100 Jan 8 08:05:08 last message repeated 2 time(s) Jan 8 08:05:08 imap2 connection attempt from 192.168.1.100 Jan 8 08:05:09 last message repeated 2 time(s)
I have followed the tcp stream in ethereal (a screenshot is available @ http://www.aoaddicts.net/htregz/portqry/ethereal1.jpg) and the software simply sends an SYN packet to the port in question, if there's no reponse received then the packet is sent two more times, if a response is received, then the software will return a RST, ACK.
These are the bare bones of the software functionality... this was more to let you see the output and give you a bit of an understanding of what is happening underneath the software. Now we'll take a look at running a portscan from the software. Again a basic, but we'll call it level 2 for the hell of it.
Port Scanning
We'll run the port scans from the CLI and again this is a fairly simple process.
I'll truncate this because the output is rather large, however the full log file of the scan can be seen @ http://www.aoaddicts.net/htregz/portqry/portscan.txt.
As you can see we told the software to scan our debian node, ports 1 - 1024 and to not resolve the IP, we're also dumping a log file. I could have specified if I wanted TCP, UDP or BOTH using the -p option, or I could have specified a source port (-sp), however I didn't feel the need to use either of those to make an example of the port scan options. You can see that ports are identified as listening or not listening and when possible the service is named (echo, discard, systate, daytime).Code:D:\Program Files\Support Tools>portqry -r 1:1024 -n 192.168.1.99 -nr -l portscan.txt Creating log file called portscan.txt Querying target system called: 192.168.1.99 TCP port 1 (unknown service): NOT LISTENING TCP port 2 (unknown service): NOT LISTENING TCP port 3 (unknown service): NOT LISTENING TCP port 4 (unknown service): NOT LISTENING TCP port 5 (unknown service): NOT LISTENING TCP port 6 (unknown service): NOT LISTENING TCP port 7 (echo service): NOT LISTENING TCP port 8 (unknown service): NOT LISTENING TCP port 9 (discard service): LISTENING TCP port 10 (unknown service): NOT LISTENING TCP port 11 (systat service): NOT LISTENING TCP port 12 (unknown service): NOT LISTENING TCP port 13 (daytime service): LISTENING
In this following section, you can see that you will also obtain the banners when available
That's basically all there is to a port scan.... Nothing advanced so far, just basic functionality of the software... consider this a walk-through... Now let's see how we can use PortQry to check for Trojans, RATs, or any PhoneHome software that may be on our system.Code:TCP port 24 (unknown service): NOT LISTENING TCP port 25 (smtp service): LISTENING Data returned from port: 220 colinux ESMTP Exim 3.36 #1 Sun, 08 Jan 2006 08:16:28 +0000 TCP port 26 (unknown service): NOT LISTENING TCP port 27 (unknown service): NOT LISTENING
Using PortQry to watch for Trojans.
In order to demonstrate this we'll use PortQry in local mode. A complete log of the program being executed on my PC can be found @ http://www.aoaddicts.net/htregz/portqry/local.txt. This can be useful to track down exactly which application has an established connection. Let's take a look at some of the output in the file and then examine how this can help us trackdown any nasty malware that's opening/using our ports.
Let's look at how it helps me breakdown IP communication to my PC
First I'm giving a completely statistical breakdown of protocols and states
I'm also given detailed breakdowns by process/process IDCode:Port Statistics TCP mappings: 96 UDP mappings: 20 TCP ports in a LISTENING state: 11 = 11.46% TCP ports in a SYN SENT state: 1 = 1.04% TCP ports in a SYN RECEIVED state: 1 = 1.04% TCP ports in a ESTABLISHED state: 57 = 59.38% TCP ports in a FIN WAIT-1 state: 5 = 5.21% TCP ports in a CLOSE WAIT state: 4 = 4.17% TCP ports in a TIME WAIT state: 17 = 17.71%
As you can see I'm connected to a large number of hosts for the file that I'm downloading through Bit Torrent... but if I saw a weird IP showing up that I didn't know, I could simply check this list and see if it was someone that was connecting because of my current torrent downloads. The process is identified as is the process id and then all the connections and their current states.Code:====================================================== Process ID: 2164 (BitComet.exe) Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 2164 TCP 12642 0.0.0.0 LISTENING 0.0.0.0:4155 2164 TCP 1887 192.168.1.100 ESTABLISHED 70.24.22.110:7795 2164 TCP 2076 192.168.1.100 ESTABLISHED 172.202.108.108:14218 2164 TCP 2124 192.168.1.100 ESTABLISHED 84.48.36.33:6881 2164 TCP 2140 192.168.1.100 ESTABLISHED 65.95.239.178:6881 2164 TCP 2210 192.168.1.100 ESTABLISHED 70.48.118.234:32459 2164 TCP 2287 192.168.1.100 ESTABLISHED 24.0.213.39:20002 2164 TCP 2298 192.168.1.100 ESTABLISHED 24.36.208.215:6881 2164 TCP 2305 192.168.1.100 ESTABLISHED 24.74.134.230:28100 2164 TCP 2306 192.168.1.100 ESTABLISHED 12.217.47.125:6882 2164 TCP 2309 192.168.1.100 ESTABLISHED 64.81.136.203:43212 2164 TCP 2310 192.168.1.100 ESTABLISHED 82.24.44.72:6881 2164 TCP 2311 192.168.1.100 ESTABLISHED 24.70.130.26:49200 2164 TCP 2319 192.168.1.100 ESTABLISHED 71.195.85.249:6881 2164 TCP 2322 192.168.1.100 ESTABLISHED 24.5.230.153:21345 2164 TCP 2323 192.168.1.100 ESTABLISHED 24.87.73.13:6881 2164 TCP 2325 192.168.1.100 ESTABLISHED 24.37.43.204:6881 2164 TCP 2326 192.168.1.100 ESTABLISHED 62.131.87.190:51015 2164 TCP 2327 192.168.1.100 ESTABLISHED 68.107.65.68:16151 2164 TCP 2331 192.168.1.100 ESTABLISHED 24.0.238.181:6881 2164 TCP 2333 192.168.1.100 ESTABLISHED 64.231.136.17:32250 2164 TCP 2338 192.168.1.100 ESTABLISHED 145.94.79.173:6346 2164 TCP 2339 192.168.1.100 ESTABLISHED 24.68.15.196:6881 2164 TCP 2343 192.168.1.100 ESTABLISHED 84.48.83.59:49152 2164 TCP 2346 192.168.1.100 ESTABLISHED 24.76.66.18:6881 2164 TCP 2347 192.168.1.100 ESTABLISHED 81.79.130.230:10810 2164 TCP 2355 192.168.1.100 ESTABLISHED 24.180.216.170:65500 2164 TCP 2412 192.168.1.100 ESTABLISHED 142.166.201.31:22628 2164 TCP 2439 192.168.1.100 ESTABLISHED 12.210.9.136:6881 2164 TCP 2608 192.168.1.100 ESTABLISHED 59.167.61.87:6881 2164 TCP 2609 192.168.1.100 FIN WAIT-1 82.39.210.171:6881 2164 TCP 12642 192.168.1.100 ESTABLISHED 12.208.111.144:2387 2164 TCP 12642 192.168.1.100 FIN WAIT-1 12.216.165.127:4269 2164 TCP 12642 192.168.1.100 ESTABLISHED 12.221.46.141:3428 2164 TCP 12642 192.168.1.100 ESTABLISHED 24.43.107.37:1816 2164 TCP 12642 192.168.1.100 ESTABLISHED 24.43.107.37:1962 2164 TCP 12642 192.168.1.100 ESTABLISHED 24.84.208.190:4291 2164 TCP 12642 192.168.1.100 ESTABLISHED 24.87.12.178:4480 2164 TCP 12642 192.168.1.100 ESTABLISHED 24.171.1.44:32937 2164 TCP 12642 192.168.1.100 ESTABLISHED 65.43.221.86:4183 2164 TCP 12642 192.168.1.100 ESTABLISHED 69.193.226.114:4894 2164 TCP 12642 192.168.1.100 ESTABLISHED 69.194.43.235:61264 2164 TCP 12642 192.168.1.100 ESTABLISHED 70.27.71.95:4062 2164 TCP 12642 192.168.1.100 ESTABLISHED 70.29.248.247:3846 2164 TCP 12642 192.168.1.100 FIN WAIT-1 70.30.118.53:3451 2164 TCP 12642 192.168.1.100 ESTABLISHED 70.31.152.69:4685 2164 TCP 12642 192.168.1.100 FIN WAIT-1 70.231.164.158:1748 2164 TCP 12642 192.168.1.100 ESTABLISHED 70.244.245.131:4280 2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.228.89:61081 2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.231.205:4342 2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.231.205:4684 2164 TCP 12642 192.168.1.100 ESTABLISHED 72.38.231.205:4890 2164 TCP 12642 192.168.1.100 FIN WAIT-1 81.77.84.204:3537 2164 TCP 12642 192.168.1.100 ESTABLISHED 82.37.184.78:2728 2164 TCP 12642 192.168.1.100 ESTABLISHED 83.18.144.10:1624 2164 TCP 12642 192.168.1.100 ESTABLISHED 154.5.31.84:1994 2164 TCP 12642 192.168.1.100 SYN RECEIVED 219.79.204.244:4597 2164 UDP 12642 0.0.0.0 *:* ======================================================
Let's look at what this will do for us with services as well. We'll use one of the running copies of svchost and look at how it helps us break it down.
As you can see we get the Name and Type of each service... so we can see which services are running themselves inside svchost. TermService also opens up a port (3389), we also see that it is listening... all in one nice neat chart.Code:Process ID: 1076 (svchost.exe) Service Name: DcomLaunch Display Name: DCOM Server Process Launcher Service Type: shares a process with other services Service Name: TermService Display Name: Terminal Services Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 1076 TCP 3389 0.0.0.0 LISTENING 0.0.0.0:2144
Now let's go on to malware detection. I'm going to use netcat in this case to open the ports for testing purposes... but I think you already know where this is going. You can view the logfile with my 'malware' running @ http://www.aoaddicts.net/htregz/port...al-malware.txt
As you can easily see... an application that I was previously unaware of has opened a port on my PC and is listening for connections.
This is one of the best features of PortQry in my opinion... This could be handy if installed on each machine on a domain in conjunction with pstools (or in a script) to check the current port activity on end-user machines.Code:====================================================== Process ID: 2980 (nc.exe) Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 2980 TCP 666 0.0.0.0 LISTENING 0.0.0.0:2080 ======================================================
Let's take a look now at the last real feature of PortQry before we move on to some of the things that we can do with it.
Monitoring a Port/Service
We can monitor local ports (or services attached to those ports) quite simply using portqry.
What I did was tell portqry to monitor port 25 on my system and keep an eye on it's status (checking every 2 seconds). When I started the process, port 25 was closed.. I then proceeded to open netcat listening on port 25. The first group of italics was created as soon as it saw that the port was now listening. The second group of italics shows that the port was closed (I killed netcat) and that there's now nothing listening. In essence that's all there is to port monitoring...Code:D:\Program Files\Support Tools>portqry -wport 25 -wt 2 PortQry Version 2.0 Watching port: 25 Checking for changes every 2 seconds **press escape to stop watching port ============ System Date: Sun Jan 08 02:46:07 2006 PID Port Local IP State Remote IP:Port 3060 TCP 25 0.0.0.0 LISTENING 0.0.0.0:38958 Port Statistics TCP mappings: 1 UDP mappings: 0 TCP ports in a LISTENING state: 1 = 100.00% ============ System Date: Sun Jan 08 02:46:14 2006 ============ System Date: Sun Jan 08 02:46:14 2006 Specified port currently does not have any port mappings TCP mappings: 0 UDP mappings: 0 PID Port Local IP State Remote IP:Port Port Statistics TCP mappings: 0 UDP mappings: 0
There's not a lot here... just an introduction for those of you that haven't used it before.... I've got a few uses for this that I'm going to use to kill some time at work... I'm going to create a VBS Script to monitor the services on a machine and email me when they go down (perhaps SMS)... I'm also going to create a python script to parse the log files and leave only open ports... Perhaps I'll do it with VBS as well.... If I can get -q to work, I'll also create some scripts on that... I'm also working on one troubleshooting script that will run a little bit of everything and return all the results formatted.... I'm turn those all into an Advanced Tutorial on PortQry.... for now here's the basics..
Peace,
HT
Reply With Quote