Using PortQry Locally
What PortQry lacks in remote scanning features it makes up for with its unique local-machine capabilities. To enable local mode, run PortQry with the -local switch. When -local is the only switch used, PortQry enumerates all local port usage and port-to-PID mapping. Instead of sorting the data by open port, PortQry lists it according to PID, letting you quickly see which applications have open network connections.
PortQry lets you watch a specific local port or PID for state changes. To watch port 80, you'd run the command
portqry -local -wport 80
and PortQry would list all applications listening on port 80. For example, if you're running Microsoft IIS, PortQry reports that the W3SVC service is in the Listening state and lists other ports that the W3SVC service is using, such as port 443 for HTTP Secure (HTTPS). In addition, PortQry continues to run in the command shell and outputs all changes to activity on the port. Thus, if you subsequently open a Web browser and surf to the server that's running IIS, PortQry outputs that activity and reports the new Established connections, as Figure 1 shows.
To watch a specific application, run PortQry with the -wpid switch:
portqry -local -wpid PID
where PID is the application's PID. Watching a PID lets you easily monitor the network activity of a new application. Say you want to determine what ports Windows Messenger uses. You know that the program's executable is named msmsgs.exe, and you've seen it running in Task Manager. Start the executable msmsgs.exe (or verify that the Windows Messenger icon is in your system tray), then launch Task Manager. Click Task Manager's Processes tab and make sure that the PID column is displayed. If the column doesn't appear, click View, Select Columns, then select the check box next to PID (Process Identifier). Find the msmsgs .exe process and note its PID, then open another command prompt and launch PortQry with the -wpid switch and that PID.
As the truncated output in Figure 2 shows, the process whose PID is 2400 is waiting on UDP port 1127. If you remain in watch mode, PortQry displays this information until the utility detects a change. (PortQry checks for changes every minute.) For example, if you log in to Windows Messenger, PortQry automatically outputs a summary of the new activity to the command shell, as Figure 3 shows.
Now we know that Windows Messenger listens on port UDP 1127 and uses the destination port TCP 1863 for communication associated with logging in to the application. Also notice that Windows Messenger has initiated this connection with a remote IP address, 207.46.107.118, which corresponds to an IP address associated with msgr.hotmail.com, a part of the Windows Messenger network.
If you send an instant message, you'll see something more interesting. PortQry reports two new opened sockets. (A socket is the combination of a port and the remote IP address.) The new sockets are another port with destination TCP 1863 and a new port to destination TCP 80, as Figure 4, page 4, shows. TCP port 80 is used for HTTP and indicates that Windows Messenger accesses a remote Web server when sending an instant message. After a few minutes of inactivity, the TCP sessions end, the ports close, and PortQry reports that only the original two ports remain open.
This fairly trivial example demonstrates some of PortQry's value. Using Task Manager and PortQry, you can watch the activity of a specific application and discern the ports it uses. You probably knew that Windows Messenger uses TCP port 1863 but not that it also uses port 80 for HTTP. Also, watching a particular application would be difficult using a traditional network sniffer that records TCP/IP traffic. Netstat returns similar information about open ports, but it doesn't let you focus on a single PID or report only changes associated with new network activity.
PortQryUI
Microsoft offers a graphical front end, called portqryui.exe, to PortQry. You can download Port-QryUI at http://download
.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe. PortQry-UI includes a version of portqry.exe and some predefined services, which consist simply of groups of ports to scan. These services are Domains and Trusts, IP Security (IPSec), Networking, SQL Service, Web Service, Ex-change Server, NetMeeting, and Miscellaneous. Web Table 1 (http://www .windowsitpro.com, In-stantDoc ID 44411) lists the individual ports and protocols that make up these services. You can specify your own groups of ports to scan by creating a custom XML configuration file.
When you use a predefined service for a scan, PortQryUI chains together multiple runs of PortQry, then displays the re-sults. For example, if you query Domains and Trusts, the front end initiates a series of PortQry scans of all Active Directory (AD)related ports (e.g., NetBIOS, DNS, Kerberos, LDAP, RPC).
One drawback to PortQryUI is that it doesn't support local mode, so you can't use it to watch PIDs or ports. And because PortQryUI initiates separate PortQry runs for each port, the output contains a lot of clutter, such as repeatedly listing when the scan starts. You can get cleaner results by simply running the command tool and specifying the particular ports. For example, the command
portqry -n 192.168.0.8 -o 135,
389,636,3268,3269,53,88,445,
137,138,139,42 -p both
returns a condensed version of Port-QryUI's results for a Domains and Trusts service scan. (You must type the command on one line and without inserting spaces between port numbers.)
Better Visibility
PortQry illuminates the network activity on your Windows systems. This small-footprint, easy-to-use scanner really shines when you use it in local mode. Make a place for it in your security toolkit—you'll be glad you did.
End of Article
Prev. page
1
[2]
next page -->
