Determining Which Ports Are Active

Determining Which Ports Are Active
To restrict the use of open ports, you need to know which ports are active on your system and which programs are using them. Although no single tool provides all the information you need, you can piece together the answers with a few tools and investigative skills. The instructions in this section show you how to combine the information provided by several tools to trace the program that is listening on a particular port.

When port sleuthing, it's often useful to have a list of programs that commonly use a particular port. Table 17-1 presented a list of the most common ports earlier in this chapter; a complete listing of the official assignments is at http://www.iana.org/assignments/port-numbers. When tracking down Trojan horse programs, you might also want a list of the ports they commonly use. The Network Ice site maintains a list organized by port number at http://www.iss.net/security_center/advice/Exploits/Ports/default.htm.

NOTE
--------------------------------------------------------------------------------

Trojan horse programs often use port numbers that are also used by legitimate programs and system components. Do not assume that a system has been infected simply because you see a program listening on a port number that is known to be used by a particular Trojan horse. For example, the "Sockets de Trois" Trojan often uses port 5000, but so does the legitimate Simple Service Discovery Protocol (SSDP) Discovery Service.
Task Manager, shown in Figure 17-1, is an important tool because it tells you what processes are running. To open Task Manager, press Ctrl+Shift+Esc. Click the Processes tab and be sure the Show Processes From All Users check box is selected. To sort by one of the columns, click the column heading; it's often convenient to sort by process identifier (PID) if you're looking up these numbers frequently. By default, Task Manager stays on top of all other windows, which can be annoying when you are working with multiple windows. You can turn off this option by choosing Options, Always On Top.


Figure 17-1. Task Manager provides the list of process identifier numbers you need to track down port usage.
TIP
--------------------------------------------------------------------------------

In Windows XP, Task Manager doesn't display the PID on the Processes tab by default, but you can easily add it to the display. With the Processes tab showing, choose View, Select Columns. Then select PID (Process Identifier) and click OK.
Another valuable tool for the port tracker's kit is Tasklist (Windows XP) or Tlist (Windows 2000):

The Tasklist command is part of the standard installation for Windows XP, so it's available from a command prompt. The most useful command option for matching up services with the ports on which they are listening is the command tasklist /svc, which displays the names of the services along with the PID and the image (.exe file) hosting that service.
In Windows 2000, the Tlist command supplies comparable information. It is an optional component available on the Windows 2000 Professional CD. To install Tlist, navigate to the CD's \Support\Tools folder and run Setup. Once Tlist is installed, you can run it from a command prompt. The command that helps identify ports is tlist -s, which shows the services running.
As a starting point for investigation, the Netstat command-line program can provide much of the detail you need about ports. To use it, open a Command Prompt window. If you type in the simplest form of the command, netstat with no command-line arguments, the command shows which ports are being actively used. To find out which program is using each connection, add the -O (owner) argument to the command line. This argument displays the process identifier that has opened the connection. Using the PID displayed by Netstat, you can look up the name of the program in Task Manager.

TIP
--------------------------------------------------------------------------------

The Netstat, Tasklist, and Tlist commands have many options besides the ones mentioned here. To see a full list of the options available for a command, type the command name followed by -? at the command prompt.
Here are the results of a Netstat -O command executed immediately after connecting to the microsoft.com site with Internet Explorer:

Proto Local Address Foreign Address State PID TCP gargan:1125 microsoft.com:http ESTABLISHED 1332 TCP gargan:1126 microsoft.com:http ESTABLISHED 1332 TCP gargan:1127 c.microsoft.com:http ESTABLISHED 1332

In this case, the PID is the process identifier for Internet Explorer, as you might expect. By default, Netstat shows the names of the addresses and ports rather than the numbers when the names are available. The local system name is Gargan, and the three local ports listed are dynamically allocated and given to Internet Explorer as needed. Because Internet Explorer specified the "keep-alive" option for its connections with Microsoft's Web server, each connection stays active for about a minute after the last request is made. If you click to another page on the Microsoft site, Internet Explorer reuses the existing connection to make the access faster.

If the system has no active connections on the network, the Netstat -O command shows nothing. However, every network-connected system is listening on at least a few ports, waiting for connections. The -A option for Netstat shows all ports that have any kind of activity, including a program listening on them. Combining the -A and -O options with the -N option tells Netstat to show the IP addresses and port numbers instead of names. If you enter netstat -aon, the output looks like this:

Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 944 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 1044 TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1044 TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1240 TCP 10.0.0.3:139 0.0.0.0:0 LISTENING 4 UDP 0.0.0.0:445 *:* 4 UDP 0.0.0.0:1031 *:* 1152 UDP 0.0.0.0:1049 *:* 1152 UDP 10.0.0.3:123 *:* 1044 UDP 10.0.0.3:137 *:* 4 UDP 10.0.0.3:138 *:* 4 UDP 10.0.0.3:1900 *:* 1240 UDP 127.0.0.1:123 *:* 1044 UDP 127.0.0.1:1900 *:* 1240

Let's go through each item in this Netstat listing, which is typical for a system running Windows XP or Windows 2000. IP addresses, port numbers, and PIDs will vary on each system, of course.

The local IP addresses in the Netstat report all refer to the local system, although they're expressed in three ways: 0.0.0.0, 127.0.0.1, and 10.0.0.3. The third address alternative is the one assigned to the system by the network's Dynamic Host Configuration Protocol (DHCP) server. The Foreign Address fields are all zeros in the case of the TCP connections, and *:* in the case of the UDP connections. Both values indicate that the ports are waiting to receive a message from any IP address and any port. No connections are currently established.

Now you can determine which programs are listening on these ports, starting from the top of the list. According to the IANA's list of well-known ports, port 135 is the Microsoft Locator Service, also known as the Endpoint Mapper. Remote computers can connect to this port on a destination computer to determine which ports are being used for a particular service. This lets services avoid the need to always use the same specific port number on a system. On this particular system, the port is opened by PID 944, which the Task Manager listing shows is an instance of Svchost.exe. Tasklist tells you that this PID is the RPC subsystem (RPCSS).

TIP
--------------------------------------------------------------------------------

Filter the Tasklist output

When used with the /Fi switch, Tasklist displays information only about the particular task in which you're interested. For example, to see which service is running as PID 944, you could type tasklist /svc /fi "pid eq 944" at a command prompt. This command filters the output to include only lines in which the PID is equal to 944. The online help for Tasklist explains other parameters you can use with the /Fi switch.

The IANA lists port 445 (both TCP and UDP) as Microsoft's new Server Message Block (SMB) over TCP protocol, which was first implemented with Windows 2000. This protocol was designed to replace the NetBIOS over TCP protocol used by older versions of Windows. (NetBIOS compatibility issues are discussed in "Inside Out: Securing the NetBIOS Ports.")

Port 1025 (TCP) is a dynamically assigned port, so the port number alone does not help determine what this port does. Similarly, PID 1044, the process listening on this port, is for another process managed by Svchost.exe, which hosts no fewer than 24 services. Given the tools available, determining which service actually has this port open isn't possible.

Port 1030, also a dynamically assigned port, is being used by PID 4, which is the System process.

Port 3389 (TCP) is for the Remote Desktop Protocol (RDP), also known as Terminal Services. Because both Remote Desktop and Fast User Switching are enabled on this system, this port must remain open to service those requests.

The IANA lists ports 5000 (TCP) and 1900 (UDP) as being used by the Universal Plug and Play (UPnP) protocol. If the SSDP Discovery Service is stopped, these ports no longer appear in the Netstat listing.

Ports 1031 and 1049 (UDP) are dynamically assigned ports, and they are being used by PID 1152, another Svchost.exe process. Task Manager shows that the process is owned by the Network Service user account. Looking at the list of services in the Services console, the only service currently running on this system that logs on as Network Service is the DNS Client service. The Tasklist display also shows PID 1152 hosting the Dnscache service, which is a good double-check. These outgoing ports are used to communicate with the Domain Name System (DNS) server so that the local computer can cache DNS name lookups to increase performance. If the DNS Client service is stopped, the ports no longer appear in the Netstat listing.

For information about various services and using the Services console, see Shutting Down Unneeded Services.

Port 123 is assigned to the Network Time Protocol, so it is related to the Windows Time service. To confirm this, you can check its PID using Tasklist or Tlist. Alternatively, you can try an empirical test: Stop the Windows Time service. If the port disappears when you rerun Netstat, you've found the right program.

Ports 137, 138, and 139 provide support for NetBIOS. In most Windows-based networks, NetBIOS is used to provide Windows file and printer sharing as well as computer name resolution.

INSIDEOUT
--------------------------------------------------------------------------------

Securing the NetBIOS ports

The most common use for NetBIOS today is to carry NetBIOS messages over TCP/IP, referred to as NetBT. This eliminates the need to install a different protocol such as NetBEUI or IPX just to carry local NetBIOS traffic. The security downside of NetBT is that careless configuration can result in opening your network to intruders and even broadcasting your vulnerability to everyone on your local Internet segment.

Preventing Internet intrusions via NetBT is actually quite simple. Do not under any circumstances bind the File And Printer Sharing For Microsoft Networks item to any Internet-connected network segment. (That is, if you examine the properties dialog box for the network connection that connects your computer to the Internet, File And Printer Sharing For Microsoft Networks should not be selected. It's okay—necessary, in fact, if you're sharing your computer's files or printers with other network users—to select this item in the properties dialog box for your local area network connection. If your computer connects to the Internet through another computer on your network, only that computer's Internet connection needs to have File And Printer Sharing For Microsoft Networks disabled.) Using Windows XP Internet Connection Firewall can also protect you. Alternatively, if you are using a hardware firewall, you are protected because the NetBIOS broadcasts are not passed through the firewall.

Starting with Windows 2000, Microsoft offers the SMB over TCP option. This protocol eliminates the need for NetBT in Windows file and printer sharing, which closes the NetBIOS ports and eliminates the broadcast messages that NetBT generates. However, there are several significant restrictions. Because SMB was introduced with Windows 2000 and is not backward-compatible, it cannot be used on networks that have Windows 95/98, Windows Me, or Windows NT clients. Also, to eliminate NetBIOS as a name resolution agent, you must provide a DNS server that can resolve computer names for local addresses. Most small networks do not have their own DNS server and instead depend on the DNS server from their Internet service provider.

Given the restrictions of the new SMB over TCP option, most small networks will need to stay with NetBT. Again, this is not a significant security problem as long as File And Printer Sharing is enabled only for the internal network and not for the Internet networking link.