Netstat and open ports

Hi everyone

I have XP Pro SP2 which is fully updated, connected to ADSL via a router. I read an old thread (about 18 months old) on another forum about person X doing a port scan, finding ports 139 and 445 open and then getting into the remote computer to see what was there. He said that there wasn't anything "interesting" and it hadn't been worth the effort. I'm not asking about how he managed to get into the other PC (I know that I'd get some terse comments!) but I'd like to know about checking open ports and closing them. I ran netstat -a and received the following output:

Active Connections

Proto Local Address Foreign Address State
TCP ComputerName:echo ComputerName:0 LISTENING
TCP ComputerName:discard ComputerName:0 LISTENING
TCP ComputerName:daytime ComputerName:0 LISTENING
TCP ComputerName:qotd ComputerName:0 LISTENING
TCP ComputerName:chargen ComputerName:0 LISTENING
TCP ComputerName:epmap ComputerName:0 LISTENING
TCP ComputerName:microsoft-ds ComputerName:0 LISTENING
TCP ComputerName:1045 ComputerName:0 LISTENING
TCP ComputerName:1899 localhost:1898 TIME_WAIT
TCP ComputerName:netbios-ssn ComputerName:0 LISTENING
TCP ComputerName:echo ComputerName:0 LISTENING 0
TCP ComputerName:discard ComputerName:0 LISTENING 0
TCP ComputerName:daytime ComputerName:0 LISTENING 0
TCP ComputerName:qotd ComputerName:0 LISTENING 0
TCP ComputerName:chargen ComputerName:0 LISTENING 0
TCP ComputerName:epmap ComputerName:0 LISTENING 0
UDP ComputerName:echo *:*
UDP ComputerName:discard *:*
UDP ComputerName:daytime *:*
UDP ComputerName:qotd *:*
UDP ComputerName:chargen *:*
UDP ComputerName:snmp *:*
UDP ComputerName:microsoft-ds *:*
UDP ComputerName:isakmp *:*
UDP ComputerName:1025 *:*
UDP ComputerName:1052 *:*
UDP ComputerName:1062 *:*
UDP ComputerName:1234 *:*
UDP ComputerName:1604 *:*
UDP ComputerName:3544 *:*
UDP ComputerName:4500 *:*
UDP ComputerName:ntp *:*
UDP ComputerName:1090 *:*
UDP ComputerName:1900 *:*
UDP ComputerName:ntp *:*
UDP ComputerName:netbios-ns *:*
UDP ComputerName:netbios-dgm *:*
UDP ComputerName:router *:*
UDP ComputerName:1601 *:*
UDP ComputerName:1900 *:*
UDP ComputerName:47393 *:*
UDP ComputerName:echo *:*
UDP ComputerName:discard *:*
UDP ComputerName:daytime *:*
UDP ComputerName:qotd *:*
UDP ComputerName:chargen *:*

whilst netstat -a -n gave me this:

Proto Local Address Foreign Address State
TCP 0.0.0.0:7 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13 0.0.0.0:0 LISTENING
TCP 0.0.0.0:17 0.0.0.0:0 LISTENING
TCP 0.0.0.0:19 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1045 0.0.0.0:0 LISTENING
TCP 192.168.0.2:139 0.0.0.0:0 LISTENING
TCP [::]:7 [::]:0 LISTENING 0
TCP [::]:9 [::]:0 LISTENING 0
TCP [::]:13 [::]:0 LISTENING 0
TCP [::]:17 [::]:0 LISTENING 0
TCP [::]:19 [::]:0 LISTENING 0
TCP [::]:135 [::]:0 LISTENING 0
UDP 0.0.0.0:7 *:*
UDP 0.0.0.0:9 *:*
UDP 0.0.0.0:13 *:*
UDP 0.0.0.0:17 *:*
UDP 0.0.0.0:19 *:*
UDP 0.0.0.0:161 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:1052 *:*
UDP 0.0.0.0:1062 *:*
UDP 0.0.0.0:1234 *:*
UDP 0.0.0.0:1604 *:*
UDP 0.0.0.0:3544 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1090 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.2:123 *:*
UDP 192.168.0.2:137 *:*
UDP 192.168.0.2:138 *:*
UDP 192.168.0.2:520 *:*
UDP 192.168.0.2:1601 *:*
UDP 192.168.0.2:1900 *:*
UDP 192.168.0.2:46085 *:*
UDP [::]:7 *:*
UDP [::]:9 *:*
UDP [::]:13 *:*
UDP [::]:17 *:*
UDP [::]:19 *:*

I have a few questions:

firstly, my port 445 seems to be open so do I need to worry or do anything about it?

second, I had Outlook open when I ran the netstat commands. As far as I know, it uses SMTP and POP3 so why aren't ports 25 and 110 mentioned as being open or "listening"; and

finally, what exactly do the entries such as "ComputerName:discard" and "ComputerName:chargen" mean in the first listing? They "map" directly to 0.0.0.0:9 and 0.0.0.0:19 in the second.

Sorry that this has been such a long post and the nicely tabbed netstat output hasn't been retained. I looked for tags to enclose the netstat outputs but couldn't find any.

Thanks for your time (and patience!).

Assuming you don't have ports 445,139 forwarded on your router they shouldn't be accessible remotely.

As for Outlook it would use SMTP and POP3 when sending/receiving mail, maybe it was not sending/receiving at the time you ran the netstat command.

After some quick googling it seems the chargen and discard entries are protocols intended for testing purposes. Anything sent to the port is thrown away using the discard protocol. The chargen protocol generates random characters and sends them back to the host connecting to the port. I assume its just a way to test if a computer is up/down or can send/receive data?

Hope this helps.

Oh and first post!! :):)

The best principle to use is if you aren't using it, turn it off. The only time you need something listening is if a service is operating as a service that should be accessible over the network. If you see 0.0.0.0 as the address, that is shorthand for the daemon is listening to every NIC/IP address on your system, which is only relevant on systems with multiple IPs...most service configurations will allow you to bind to a specific IP if you so chose...127.0.0.1 is the IP address of the loopback interface, which is shorthand for referencing yourself...it is only reachable by your computer and isn't as large of a risk.

Just a couple of generic pointers:

1) Since you are using XP SP2, use netstat -nab. Much more useful b/c it shows you WHAT program has the port open (and the port and state of the port)...rather than having to guess what program has it open...

2) These are garbage and should never be needed in a normal environment...disable/turn them off:

Quote:

TCP ComputerName:echo ComputerName:0 LISTENING
TCP ComputerName:discard ComputerName:0 LISTENING
TCP ComputerName:daytime ComputerName:0 LISTENING
TCP ComputerName:qotd ComputerName:0 LISTENING
TCP ComputerName:chargen ComputerName:0 LISTENING
TCP ComputerName:echo ComputerName:0 LISTENING 0
TCP ComputerName:discard ComputerName:0 LISTENING 0
TCP ComputerName:daytime ComputerName:0 LISTENING 0
TCP ComputerName:qotd ComputerName:0 LISTENING 0
TCP ComputerName:chargen ComputerName:0 LISTENING 0
UDP ComputerName:echo *:*
UDP ComputerName:discard *:*
UDP ComputerName:daytime *:*
UDP ComputerName:qotd *:*
UDP ComputerName:chargen *:*
UDP ComputerName:echo *:*
UDP ComputerName:discard *:*
UDP ComputerName:daytime *:*
UDP ComputerName:qotd *:*
UDP ComputerName:chargen *:*

3) These are probably not needed and shouldn't be used unless properly configured/locked down (which brings up another question...is your system acting like a router for some odd reason? Think router is also known as RIP...i forget offhand)...

Quote:

UDP ComputerName:snmp *:*
UDP ComputerName:ntp *:*
UDP ComputerName:ntp *:*
UDP ComputerName:router *:*

4) As far as netbios (tcp/139 tcp/445 udp/137-138): Are you sharing a drive/printer from your system to other users on the network? If not, disable your server service. Are you using someone elses drives/printers? If not disable your workstation/computer browser services.

5) Lastly, Blackviper has happily returned, have a look:
http://www.blackviper.com/WinXP/servicecfg.htm

You'll find that as you disable services running in the background, you'll see less programs listening on network connections/ports and you should also find that your system is running faster since you aren't wasting cycles/memory on programs you aren't using...

@ gambL: Thank you - a useful first post (well, I think so!). No, I don't have any port forwarding set in the router. It's logical that neither SMTP nor POP3 was displayed so I got Outlook to Send/Receive and then ran netstat again. The list mentioned POP3 but didn't show it's port. I'll look into this further when I've disabled the "rubbish" (as below).

@nebulus2000: Yes, I've played around with the -b switch and seen the output. I'm interested to see that there are unnecessary entries and I'm keen to disable them ... but how? I haven't (to my knowledge) set the laptop up as a router. It's the only one attached to the ADSL router so I guess that I should also disable the entries that you listed in 3)?

I have had file and printer sharing enabled (when I had another laptop attached via a cross-over cable) so I guess that by disabling that in TCP/IP properties, it should get rid of the netbios-related entries mentioned in 4)?

My system is running a little slowly and I was contemplating reinstalling the OS. Maybe these recommended tweaks will prevent my having to do that (not something I do without good reason!).

I remember looking for Blackviper a while ago - I'll check it out.

Thanks again for the input.

I've been thinking - as I was connected to the internet whilst I ran Netstat to get the outputs which I gave, why isn't there reference to either port 80 or 8080? Does it relate somehow to the fact that I'm behind an ADSL router? I haven't changed any of the router firewall settings. If this is the case, how can I check what ports I have open to the "outside world"? I'm so confused now!

Quote:

Assuming you don't have ports 445,139 forwarded on your router they shouldn't be accessible remotely.

Most routers/switches do forward this traffic, hence, worm propigation...

Quote:

As far as netbios (tcp/139 tcp/445 udp/137-138): Are you sharing a drive/printer from your system to other users on the network? If not, disable your server service. Are you using someone elses drives/printers? If not disable your workstation/computer browser services.

Another way to disable CIFS (port 445) is to disable NetBIOS over TCP by simply clicking a checkbox in the advanced properties of TCP/IP.

Quote:

second, I had Outlook open when I ran the netstat commands. As far as I know, it uses SMTP and POP3 so why aren't ports 25 and 110 mentioned as being open or "listening"

It doesn't matter if the outlook client is open. It matters what the connection state is when you perform netstat. Unless you executed netstat during the time wait period of the mail send/receive, you're not going to see the ports in use. POP3 and SMTP are not running as a service on your host, hence, you're not going to see them in your output all the time. For a better look at what's happening, download a tool called TCPview (google it) and you can watch your system in (almost) realtime rather than snapshotting it with netstat. Or simply click send/receive in outlook then immediately do a netstat. You'll see port 110 in time wait.

Quote:

finally, what exactly do the entries such as "ComputerName:discard" and "ComputerName:chargen" mean in the first listing? They "map" directly to 0.0.0.0:9 and 0.0.0.0:19 in the second

Chargen and discard are legacy services that have virtually no use anymore. Old skoolers like myself remember them fondly from the "80s". Trace route and ping (via ICMP) have long since replaced Chargen and discard. These two protocols were the network testing tools back in the day.

Turn them off. They can only lead to trouble.

Quote:

These are probably not needed and shouldn't be used unless properly configured/locked down (which brings up another question...is your system acting like a router for some odd reason? Think router is also known as RIP...i forget offhand)...

Seems he has every service under the sun running on this host. The cause of seeing "router" is that he has the Routing and Remote Access Service turned on. A dead give away is that I saw SNMP running also. So, yes, he has IP forwarding turned on.

Quote:

If you see 0.0.0.0 as the address, that is shorthand for the daemon is listening to every NIC/IP address on your system

Technically, this is incorrect. Yes, I'm nit picky. :) The proper terminology here is "any". Simply put, when you see 0.0.0.0 it means "any" not, "every". It's a matter of sounding like a computer professional or a hobbyist. Use the term any instead. :)

--TH13

Quote:

Chargen and discard are legacy services that have virtually no use anymore. Old skoolers like myself remember them fondly from the "80s". Trace route and ping (via ICMP) have long since replaced Chargen and discard.

This is interesting, I have NEVER seen them on windows machine and I have a large network to monitor. What turns this on typically, IP forwarding, some opern source code ported from Linux? Or more likely a skiddie toolkit. ;)

Quote:

Originally Posted by thehorse13

Most routers/switches do forward this traffic, hence, worm propigation...

Another way to disable CIFS (port 445) is to disable NetBIOS over TCP by simply clicking a checkbox in the advanced properties of TCP/IP.

I have NetBIOS over TCP/IP disabled - I was told by someone previously that I should do this. Do you have any other ideas about disabling port 445?

Quote:

... For a better look at what's happening, download a tool called TCPview (google it) and you can watch your system in (almost) realtime rather than snapshotting it with netstat. Or simply click send/receive in outlook then immediately do a netstat. You'll see port 110 in time wait.

I'm fairly sure that I have Sysinternals TCPview in my "tools library" somewhere but haven't used it. I'll have a look into it.

Quote:

Chargen and discard are legacy services that have virtually no use anymore. Old skoolers like myself remember them fondly from the "80s". Trace route and ping (via ICMP) have long since replaced Chargen and discard. These two protocols were the network testing tools back in the day.

Turn them off. They can only lead to trouble.

How do I turn them off?

I looked into the other "odd" ports (echo, daytime etc.) and it suggested that daytime is part of the NTP. Am I correct in thinking that this relates to the regular clock update that my laptop does to make sure that the time displayed is correct? If so, I'd better leave that one there!

Quote:

... The cause of seeing "router" is that he has the Routing and Remote Access Service turned on. A dead give away is that I saw SNMP running also. So, yes, he has IP forwarding turned on.

I'm lost now so I'd better do some googling! I suspect that I need to go into the Services application and disable the Routing and Remote Access Service?

Many thanks for the detailed response. Who knows, I might just get my head around this!

Quote:

I have NetBIOS over TCP/IP disabled - I was told by someone previously that I should do this. Do you have any other ideas about disabling port 445?

Me personally, I just did the following below on my box xp with sp2 works perfect.

How to disable port 445?
You can easily disable port 445 on your computer. To do so follow these instructions:
Start Registry Editor (Regedit.exe).
Locate the following key in the registry:
HKLM\System\CurrentControlSet\
Services\NetBT\Parameters
In the right-hand side of the window find an option called TransportBindName.
Double click that value, and then delete the default value, thus giving it a blank value.
Close the registry editor.
Reboot your computer.
After rebooting open a command prompt and in it type
netstat -an
See that your computer no longer listens to port 445.

PS full artice can be found here.
http://www.petri.co.il/what's_port_4...2k_xp_2003.htm

@Computernerd22: that's a coincidence! I just did some googling, came across the same article and did just that. I agree that it works like a charm. I came back here to post (for others' benefit) but you beat me to it (Grr!).

One other thing is about port 135. I came across a complicated article which mentioned disabling RPC. Mine is set to start automatically. I don't think that I need it on a single laptop behind an ADSL router. What I could understand mentioned that it would be needed in a large (client/server) network. The article also mentioned disabling things like Windows Time, SSDP Discovery Services, Remote Desktop Help Servives Manager, Com+ Event System, Com+ System Application, System Event Notification (do I really want to do that?) and Task Scheduler (do I really want to do that either?). I've never heard of most of these so I'm relatively happy to disable them but there are some which I think I ought to keep. Any comments?