Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 13, 2003

11 Port Enumerators

Catch malware!
A Web Exclusive from Windows IT Pro
Roger A. Grimes
Feature
InstantDoc #40313
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join |
See More Products / Software Articles Here | Reprints | Or sign up for our VIP Monthly Pass!
SideBar    Trojan-Horse Port Resources, UDP vs. TCP, The Art of Interpreting Netstat

One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?" Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program. The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious. Let's take a look at port enumeration in general, then review 11 Windows port enumerators.

TCP/UDP Tutorial
To investigate ports, you need to know a little bit about TCP/IP and network connections. Today, most computers use the TCP/IP network protocol to communicate. TCP/IP's two main upper-layer (Open System Interconnection—OSI—Layer 4) transport protocols are TCP and UDP. One of these two protocols is typically responsible for sending information that travels between two computers (or between two processes on the same computer). Both TCP and UDP rely on the lower-level IP protocol to route packets from one computer to another. An IP packet header contains the source and destination IP addresses (or multicast or broadcast addresses, when appropriate) of the two computers and the protocol number (i.e., 6 for TCP or 17 for UDP), among other bits of information. The lower-layer protocol, IP, routes the packet from the source to the destination over the logical network. When the packet arrives at its eventual destination, the IP stack associated with the NIC removes the IP packet frame and inspects the upper-level protocol (i.e., TCP or UDP). For information about the differences between TCP and UDP, see the Web-exclusive sidebar, "UDP vs. TCP," http://www.secadministrator.com, InstantDoc ID 40315. . . .

Reader Comments
Brilliant. So many articles gloss over tools such as netstat assuming everyone was born sporting a pocket protector. One of the better articles I have read since I can remember. You should do a whole series on network troubleshooting utilities including tracert and nslookup. Well done.

Glen Huey October 22, 2003

Very good research and experience blended to make a quality article. Toast for more to come from the author and windows & .net mag website. Cheers!

Rostand Abear October 22, 2003

Great article, I only wish you could have provided links to the programs

Howard Mirkin October 22, 2003

Very interesting and well written article. I think the utilities you analize are usefull not only for suspicious "Virus" or "Trojan Horse" problems but are great helps for developers of TCP Network Application Programs. Thanks

Luigi Calegari October 24, 2003

I have Windows 2000 (SP4) and the netstat command doesn't have the -o option to enumerate the process identifier (PID). Is there another command that does so, perhaps in the Resource Kit, or perhaps this feature is only included with Windows XP and I have to find a 3rd party tool?

C. Frank Bernard October 28, 2003

I want to thank you for this well written article. I am new to network security issues and am having difficulty understanding much of what I've been reading. Not so with Mr. Grimes' "11 Port Enumerators" article. The topic at large still carries a huge mystery for me to unravel but Mr. Grimes has given me hope that I'll be able to grasp this information some time soon.

I've stumbled here from WildersSecuity's forum and plan on spending some time on your site.

I cannot thank you enough,
Kim Palmer
Newly drafted, reluctant though sober, Network Security Administrator
God help us. :)

Kim Palmer March 19, 2004

The Best of the best utility of this category is missing:
NirSoft CurrPorts !

http://nirsoft.mirrorz.com/

CurrPorts displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.
In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file , XML file, or to tab-delimited text file.
CurrPorts also automatically mark with pink color suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons)


itibi September 09, 2004 (Article Rating: )

I totally agree with itibi's comments on CurrPorts. I love it. No installation and gives you everything you need.

BurtisB October 22, 2004 (Article Rating: )

Where are the links to the programs?

Anonymous User October 22, 2004 (Article Rating: )

Where are the links to the programs?

Anonymous User October 22, 2004 (Article Rating: )

 See More Comments  1   2 

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing