Introduction
Our systems run many processes (services and applications) on a daily basis. Often these processes are designed for communication with remote systems and run as services that listen on assigned ports. In today's environment computers are often left powered on and connected to a network at all times.
This always-on mentality provides an endless window of opportunity for attackers to take advantage of vulnerabilities in these running processes. Therefore, it is important for us to not only keep our systems patched, it is also important to minimize the processes listening on our systems. We should only run processes that are necessary for the systems to function as desired, and disable and uninstall the other processes. But how do we tell what processes have ports open and are listening on our systems?
The Netstat Command
On systems that have TCP/IP installed (which includes almost all systems), there is a command called Netstat. Netstat is a command line executable that can be used to display various types of information about out network connections. If you run netstat with a command line option of "-?" you will see that there are various command line arguments you can use to gather different pieces of information. We can use Netstat to display a list of active connections for our system.
If we run the Netstat command from a Command Prompt on a Windows system, we get results similar to the following (results from a Windows 7 system):
C:\>netstat.exe -aon
Active Connections
| Proto | Local Address | Foreign Address | State | PID |
| TCP | 0.0.0.0:135 | 0.0.0.0:0 | LISTENING | 668 |
| TCP | 0.0.0.0:445 | 0.0.0.0:0 | LISTENING | 4 |
| TCP | 0.0.0.0:5357 | 0.0.0.0:0 | LISTENING | 4 |
| TCP | 0.0.0.0:49152 | 0.0.0.0:0 | LISTENING | 392 |
| TCP | 0.0.0.0:49153 | 0.0.0.0:0 | LISTENING | 716 |
| TCP | 0.0.0.0:49154 | 0.0.0.0:0 | LISTENING | 884 |
| TCP | 0.0.0.0:49155 | 0.0.0.0:0 | LISTENING | 468 |
| TCP | 0.0.0.0:49156 | 0.0.0.0:0 | LISTENING | 476 |
| TCP | 192.168.56.129:139 | 0.0.0.0:0 | ISTENING | 4 |
| TCP | 192.168.56.129:49158 | 65.55.17.26:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49160 | 204.246.230.80:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49161 | 65.55.15.242:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49162 | 65.55.149.121:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49163 | 65.55.15.242:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49164 | 65.55.15.242:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49167 | 65.55.15.242:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49168 | 65.55.15.242:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49169 | 65.55.15.242:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49172 | 74.125.95.149:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49174 | 204.246.230.113:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49175 | 65.55.149.119:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49177 | 66.35.45.201:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49178 | 66.35.45.201:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49179 | 66.35.45.201:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49180 | 66.35.45.201:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49181 | 66.35.45.201:80 | ESTABLISHED | 2988 |
| TCP | 192.168.56.129:49182 | 66.35.45.201:80 | ESTABLISHED | 2988 |
| TCP | [::]:135 | [::]:0 | LISTENING | 668 |
| TCP | [::]:445 | [::]:0 | LISTENING | 4 |
| TCP | [::]:5357 | [::]:0 | LISTENING | 4 |
| TCP | [::]:49152 | [::]:0 | LISTENING | 392 |
| TCP | [::]:49153 | [::]:0 | LISTENING | 716 |
| TCP | [::]:49154 | [::]:0 | LISTENING | 884 |
| TCP | [::]:49155 | [::]:0 | LISTENING | 468 |
| TCP | [::]:49156 | [::]:0 | LISTENING | 476 |
| UDP | 0.0.0.0:3702 | *:* | 1412 | |
| UDP | 0.0.0.0:3702 | *:* | 1412 | |
| UDP | 0.0.0.0:5355 | *:* | 1164 | |
| UDP | 0.0.0.0:64181 | *:* | 1412 | |
| UDP | 127.0.0.1:1900 | *:* | 1412 | |
| UDP | 127.0.0.1:61166 | *:* | 1412 | |
| UDP | 127.0.0.1:62646 | *:* | 2988 | |
| UDP | 192.168.56.129:137 | *:* | 4 | |
| UDP | 192.168.56.129:138 | *:* | 4 | |
| UDP | 192.168.56.129:1900 | *:* | 1412 | |
| UDP | 192.168.56.129:61165 | *:* | 1412 | |
| UDP | [::]:3702 | *:* | 1412 | |
| UDP | [::]:3702 | *:* | 1412 | |
| UDP | [::]:5355 | *:* | 1164 | |
| UDP | [::]:64182 | *:* | 1412 | |
| UDP | [::1]:1900 | *:* | 1412 | |
| UDP | [::1]:61164 | *:* | 1412 | |
| UDP | [fe80::a49d:22fc:6a6:4daf%11]:546 | *:* | 716 | |
| UDP | [fe80::a49d:22fc:6a6:4daf%11]:1900 | *:* | 1412 | |
| UDP | [fe80::a49d:22fc:6a6:4daf%11]:61163 | *:* | 1412 | |
As you can see there are many processes listening on this Windows 7 system. By running the netstat command with the "a" option, we list all the active TCP connections on TCP and UDP ports. The "o" option gives us the process identifier, or PID, of the process the port is assigned. And the "n" option tells netstat not to do name resolution on IP addresses or ports.
This netstat output gives us five columns of information about active connections:
| Column | Information Description |
|---|---|
| Proto | Type of protocol being used TCP or UDP. |
| Local Address | IP address of the local system and local port being used. |
| Foreign Address | IP address of the remote system and remote port being used. |
| State | Status of the TCP connection. |
| PID | Process identifier of the processing using the local port. |
If we look at the 22nd entry of our output, we see the following entry:
TCP 192.168.56.129:49177 66.35.45.201:80 ESTABLISHED 2988
This entry tells us we have an active TCP connection from our local system on port 49177 to a remote system with IP address 66.35.45.201 on port 80. In addition, this connection is currently established and a local process with a PID of 2988 is using the connection.
Even though we know the PID of the process using this connection, it doesn't tell us much more than there is a process that has an active connection on our system. How can we use this information to determine more about PID 2988?
Using Task Manager to better identify processes against our Netstat results
Now that we have a PID number, we can look up the process that is associated with the PID. To do this we can utilize the built-in Task Manager. However, by default Task Manager doesn't display the PID. We can fix that with a quick setting change.
Open Task Manager and select the "Processes" tab. Then click "Show processes from all users" to display all running processes in the Task Manager window. We will need to add the "PID (Process Identifier)" column to the view, as show below.
To do this, select "View" from the menu and then click "Select Columns". On the "Select Process Page Columns" make sure there is a check mark in "PID (Process Identifier)" selection box and then click OK.
You will now see a window similar to the following.
If we look in the "PID" column, we will see our PID of 2988. Then by looking at the "Image Name" and "Description" columns, we can see that out active network connection is Internet Explorer.
Now that we have looked at the harder way of cross referencing active ports to their processes, let's look at a tool that can help do this all in one step.
TCPView for Windows
Windows SysInternals' guru Mark Russinovich has created a very useful tool, amongst many others, that will make our job easier. The TCPView tool is a GUI program that provides similar, but enhanced, information to that of Netstat. It will not only give you the PID number of the process tied to an active port, it will also provide you the "Image Name" that you find in Task Manager.
TCPView also includes a command line program that can dump the same information as the GUI program. This comes in very handy when performing Incident Response or you want to automate the auditing of several systems. The command line program is called Tcpvcon and has a few command line arguments. You can run "tcpvcon.exe /?" from a command prompt to view those options.
TCPView Output
On our same Windows 7 system, we run the Tcpvcon program at the command line while specifying the "a", "c" and "n" options. The command gives us the following results (which can also be piped to a file on a remote network share):
C:\>Tcpvcon.exe -acn
TCPView v2.54 - TCP/UDP endpoint viewer
Copyright (C) 1998-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
TCP,svchost.exe,668,LISTENING,0.0.0.0:135,0.0.0.0:0
TCP,System,4,LISTENING,192.168.56.129:139,0.0.0.0:0
TCP,wininit.exe,392,LISTENING,0.0.0.0:49152,0.0.0.0:0
TCP,svchost.exe,716,LISTENING,0.0.0.0:49153,0.0.0.0:0
TCP,svchost.exe,884,LISTENING,0.0.0.0:49154,0.0.0.0:0
TCP,services.exe,468,LISTENING,0.0.0.0:49155,0.0.0.0:0
TCP,lsass.exe,476,LISTENING,0.0.0.0:49156,0.0.0.0:0
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49158,65.55.17.26:80
TCP,System,4,LISTENING,192.168.56.129:139,0.0.0.0:0
TCP,wininit.exe,392,LISTENING,0.0.0.0:49152,0.0.0.0:0
TCP,svchost.exe,716,LISTENING,0.0.0.0:49153,0.0.0.0:0
TCP,svchost.exe,884,LISTENING,0.0.0.0:49154,0.0.0.0:0
TCP,services.exe,468,LISTENING,0.0.0.0:49155,0.0.0.0:0
TCP,lsass.exe,476,LISTENING,0.0.0.0:49156,0.0.0.0:0
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49158,65.55.17.26:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49160,204.246.230.80:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49161,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49162,65.55.149.121:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49163,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49164,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49167,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49168,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49169,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49172,74.125.95.149:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49161,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49162,65.55.149.121:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49163,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49164,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49167,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49168,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49169,65.55.15.242:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49172,74.125.95.149:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49174,204.246.230.113:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49175,65.55.149.119:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49177,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49178,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49179,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49180,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49181,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49182,66.35.45.201:80
TCP,System,4,LISTENING,0.0.0.0:445,0.0.0.0:0
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49175,65.55.149.119:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49177,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49178,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49179,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49180,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49181,66.35.45.201:80
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49182,66.35.45.201:80
TCP,System,4,LISTENING,0.0.0.0:445,0.0.0.0:0
TCP,System,4,LISTENING,0.0.0.0:5357,0.0.0.0:0
UDP,System,4,*,192.168.56.129:137,*:*
UDP,System,4,*,192.168.56.129:138,*:*
UDP,svchost.exe,1412,*,127.0.0.1:1900,*:*
UDP,svchost.exe,1412,*,192.168.56.129:1900,*:*
UDP,svchost.exe,1412,*,0.0.0.0:3702,*:*
UDP,svchost.exe,1412,*,0.0.0.0:3702,*:*
UDP,svchost.exe,1164,*,0.0.0.0:5355,*:*
UDP,svchost.exe,1412,*,192.168.56.129:61165,*:*
UDP,System,4,*,192.168.56.129:137,*:*
UDP,System,4,*,192.168.56.129:138,*:*
UDP,svchost.exe,1412,*,127.0.0.1:1900,*:*
UDP,svchost.exe,1412,*,192.168.56.129:1900,*:*
UDP,svchost.exe,1412,*,0.0.0.0:3702,*:*
UDP,svchost.exe,1412,*,0.0.0.0:3702,*:*
UDP,svchost.exe,1164,*,0.0.0.0:5355,*:*
UDP,svchost.exe,1412,*,192.168.56.129:61165,*:*
UDP,svchost.exe,1412,*,127.0.0.1:61166,*:*
UDP,iexplore.exe,2988,*,127.0.0.1:62646,*:*
UDP,svchost.exe,1412,*,0.0.0.0:64181,*:*
TCPV6,svchost.exe,668,LISTENING,[0:0:0:0:0:0:0:0]:135,[0:0:0:0:0:0:0:0]:0
TCPV6,System,4,LISTENING,[0:0:0:0:0:0:0:0]:445,[0:0:0:0:0:0:0:0]:0
TCPV6,System,4,LISTENING,[0:0:0:0:0:0:0:0]:5357,[0:0:0:0:0:0:0:0]:0
TCPV6,wininit.exe,392,LISTENING,[0:0:0:0:0:0:0:0]:49152,[0:0:0:0:0:0:0:0]:0
TCPV6,svchost.exe,716,LISTENING,[0:0:0:0:0:0:0:0]:49153,[0:0:0:0:0:0:0:0]:0
TCPV6,svchost.exe,884,LISTENING,[0:0:0:0:0:0:0:0]:49154,[0:0:0:0:0:0:0:0]:0
UDP,iexplore.exe,2988,*,127.0.0.1:62646,*:*
UDP,svchost.exe,1412,*,0.0.0.0:64181,*:*
TCPV6,svchost.exe,668,LISTENING,[0:0:0:0:0:0:0:0]:135,[0:0:0:0:0:0:0:0]:0
TCPV6,System,4,LISTENING,[0:0:0:0:0:0:0:0]:445,[0:0:0:0:0:0:0:0]:0
TCPV6,System,4,LISTENING,[0:0:0:0:0:0:0:0]:5357,[0:0:0:0:0:0:0:0]:0
TCPV6,wininit.exe,392,LISTENING,[0:0:0:0:0:0:0:0]:49152,[0:0:0:0:0:0:0:0]:0
TCPV6,svchost.exe,716,LISTENING,[0:0:0:0:0:0:0:0]:49153,[0:0:0:0:0:0:0:0]:0
TCPV6,svchost.exe,884,LISTENING,[0:0:0:0:0:0:0:0]:49154,[0:0:0:0:0:0:0:0]:0
TCPV6,services.exe,468,LISTENING,[0:0:0:0:0:0:0:0]:49155,[0:0:0:0:0:0:0:0]:0
TCPV6,lsass.exe,476,LISTENING,[0:0:0:0:0:0:0:0]:49156,[0:0:0:0:0:0:0:0]:0
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:1]:1900,*:*
UDPV6,svchost.exe,1412,*,[fe80:0:0:0:a49d:22fc:6a6:4daf]:1900,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:3702,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:3702,*:*
UDPV6,svchost.exe,1164,*,[0:0:0:0:0:0:0:0]:5355,*:*
UDPV6,svchost.exe,1412,*,[fe80:0:0:0:a49d:22fc:6a6:4daf]:61163,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:1]:61164,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:64182,*:*
TCPV6,lsass.exe,476,LISTENING,[0:0:0:0:0:0:0:0]:49156,[0:0:0:0:0:0:0:0]:0
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:1]:1900,*:*
UDPV6,svchost.exe,1412,*,[fe80:0:0:0:a49d:22fc:6a6:4daf]:1900,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:3702,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:3702,*:*
UDPV6,svchost.exe,1164,*,[0:0:0:0:0:0:0:0]:5355,*:*
UDPV6,svchost.exe,1412,*,[fe80:0:0:0:a49d:22fc:6a6:4daf]:61163,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:1]:61164,*:*
UDPV6,svchost.exe,1412,*,[0:0:0:0:0:0:0:0]:64182,*:*
Our output is in comma separated format due to the "c" option we specified. As with Netstat the "a" option gives us all connections and the "n" option tells Tcpvcon to not do name translation. This time, the output from our command is displayed in six columns, or fields, that are comma separated. The displayed fields provide the following information in order displayed:
| Column/Field | Description |
|---|---|
| Protocol | Type of protocol being used TCP or UDP. |
| Process | The Image Name of the running process. |
| PID | Process identifier of the processing using the local port. |
| State | Status of the TCP connection. |
| Local address and port | IP address of the local system and local port being used. |
| Foreign address and port | IP address of the remote system and remote port being used. |
Let's look at the 20th entry in our output list from the Tcpvcon command we ran above:
TCP,iexplore.exe,2988,ESTABLISHED,192.168.56.129:49177,66.35.45.201:80
As before, this entry tells us we have an active TCP connection from our local system on port 49177 to a remote system with IP address 66.35.45.201 on port 80. And this connection is currently established and a local process with a PID of 2988 is using the connection. But as a bonus, the process image name (iexplore.exe) is now provided.
Resources
Microsoft Technet (n.d.). Netstat. Retrieved from http://technet.microsoft.com/en-us/library/bb490947.aspx
Russinovich, M. (2009, March 17). Tcpview for windows v2.54. Retrieved from http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
No comments:
Post a Comment