Ports - The Doorways to Your Computer
When thinking about securing your machine from unauthorized access or use, considering using the analogy of trying to keep burglars out of a warehouse. Your first step would be to seal off those entrances that are not essential to the operation of the warehouse, thereby allowing you to focus your attention on specific entrances, rather than the entire building.
Using the above analogy, substitute the word "doorways" for "ports." Ports are entrances to your machine. For instance, whenever you go to a website, you are connecting to that company's server on port 80 (unless remapped). Don't believe me? Try these two links:
Now let's look at what "doors" are open on your computer. In order to do this we will be using a utility called Netstat. Netstat provides its user with the network status of the computer from which the command is being sent. Netstat is very comprehensive; below you will find its usage stanza:
There are a lot of options listed, but we are only concerned with the first one:
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify
a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
-a Displays all connections and listening ports.
-a Shows you who's in the "warehouse" and and which "doors" are open.
Now let's do a little.....hacking? Follow these steps.
STEP 1 - Launch DOS or Command Prompt
1. Click on the Start button on the bottom left of your screen.
2. Next click on Run.
3. You will be presented with the Run window which allows you to type in commands. The command we want to run is cmd to bring up the command prompt or DOS. Type cmd in the window, and click the OK button.
STEP 2 - Execute netstat -a command
1. Now you should be looking at the command prompt or DOS window. This where we can type in our command: netstat -a After you type this command, press Enter.
STEP 3 - Reading the outpu
STEP 4 - Grouping, grouping, gone!
You should see fours columns on your screen:
* ** Proto(col) - This is the protocol or language being used by your system for a service. *Examples are:
* * * * *o TCP Transmission Control Protocol
* * * * *o UDP User Datagram Protocol
* ** Local Address - Your system name otherwise known as hostname, and the port number/name. The port number may be substituted for the name of the service being used.
* * *Example: localhost:http instead of localhost:80
* ** Foreign Address - The name or IP address of the system you are connected to and the port number/name. *The IP address is the number representation for a system name. *try the following link to see what I mean:
* * * * *o http://126.96.36.199
* ** State - This lets you know what is happening on a particular port. *The words we're looking for are:
* * * * *o LISTENING, an open door
* * * * *o ESTABLISHED, a door which is being used
* * * * *o TIME_WAIT, a door was used, now it's closed
Let's group everything according to its State. This will require opening up a blank/new document in either Note Pad, Write Pad, Word, or any other word professing software. Copy and paste the entire Netstat-a output from your DOS/Command Prompt window into your new document. Follow these steps:
Ok. Let's do some grouping by State. Move all LISTENING lines together, all the ESTABLISHED lines together, and all the TIME_WAIT lines together.
* ** *"Right-click" on the Title Bar of the DOS/Command Prompt
* ** Select the Edit item and then select the Select All item
* ** "Right-click" on the Title Bar of the DOS/Command Prompt
* ** Select the Edit item and then select the Copy item
* ** Go to your new document and Paste
NOTE: You can find out which of these ports is opened to the general Internet public by running the Probe My Ports test. If your results are unsatisfactory and you don't have a firewall, you need to get a firewall. A firewall should be a basic component of your Internet security.
STEP 5 - Let's go a-hunting!
We need to identify what is actually running on these ports. First let's look in our Windows services file. This document is used to startup services on certain ports and contains a very brief description of the service. Below is the location of the files:
Tip: Create a shortcut of this file on your desktop so that you don't have to hunt for it again:
# Win 95/98 - C:\WINDOWS\SERVICES
# Win NT/2k- C:\WINNT\SYSTEM32\DRIVERS\ETC\SERVICES
1. Right-click on the file
2. Click Send to...
3. Select desktop
It's good to know what you actually have running on your machine so that in case you do get hacked, you know what ports you should see open. You should make sure that you don't have any Internet applications running when you compile the list. This includes, but is not limited to :
NOTE:Port 138 which is used by the NetBios protocol has "well known" exploits and vulnerabilities. If you don't have a home network setup than turn off the following services:
* ** *AOL Instant Messenger
* ** Yahoo Messenger
* ** ICQ
* ** Trillian
* ** Internet explorer
* ** Netscape Navigator
* ** Eudora E-mail client
* ** Outlook or Outlook Express clients
STEP 6 - Now what?
* ** *File and Print Sharing for Microsoft Networks
* ** Client Services for Microsoft Networks
Now you're ready to rid your machine of the dreaded "script kiddies" should you get hacked. Pay attention, grasshopper. You NEED a firewall - whether it is a software firewall, a hardware firewall, or both, you need a firewall! This will protect you 99.99% of the time, unless someone has a personal vendetta against you. So let's suppose your .01% time happens before you leave this beautiful planet, then here's what you need to do. You already have the basics down - we're just going to put it all together.
Check the Netstat-a output against the following trojan port list. If you find the port, then click on the name of the trojan to get more information. Copy this information in another text document by via copy/paste. It will come in handy later.
# Run Netstat-n. This will give you the IP address of the machine that is connected to you on that port (the script kiddie). Write this down as well so that you can nail them later by turning them into their ISP.
# Disconnect from the Internet. Easiest way to do this is remove the cable from your modem, and and shutdown all Internet applications.
# Run anti-virus scan.
# Run anti-trojan scan.
# If the description of the trojan from the trojan list noted any files in the registry, make sure they are gone. Use the same method you used to open the DOS/Command Prompt, but instead of typing cmd, type regedit. Then do a "Find" for the files listed in the description. If you find them, delete them.
# Reconnect your modem cable and reboot computer.
# Check Netstat-a against the trojan list again to verify a "script kiddie" free machine.
# If you want to try and catch the culprit, open up your DOS/command prompt window like you did for Netstat and type: tracert ["script kiddies" IP]. You should have copied down the IP address from step 2. Now, before the trace gets to the IP address of the perpetrator, it will pass through the ISP first. So check the two previous IP addresses before getting to the destination. Type them into the browser the way we did with Yahoo above, and see who to report the incident to. Usually, it will be abuse@[ISP].com