Hack 23 List Running Services and Open Ports

Check for remotely accessible services the Windows way .

Unix makes it quick and easy to see which ports on a system are open, but how can you do that on Windows? Well, with FPort from Foundstone (http://www.foundstone.com/resources/index_resources.htm) it's as quick and easy as running good old netstat .

FPort has very few command-line options, and those deal mostly with specifying how you'd like the output sorted. For instance, if you want the output sorted by application name , you can use /a ; if you want it sorted by process ID, you can use /i . While it may not be as full of features as netstat , it definitely gets the job done.

To get a listing of all ports that are open on your system, simply type fport . If you want the list to be sorted by port number, use the /p switch:

C:\>

fport /p

FPort v2.0 - TCP/IP Process to Port Mapper

Copyright 2000 by Foundstone, Inc.

http://www.foundstone.com



Pid   Process            Port  Proto Path

432   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe

8     System         ->  139   TCP

8     System         ->  445   TCP

672   MSTask         ->  1025  TCP   C:\WINNT\system32\MSTask.exe

8     System         ->  1028  TCP

8     System         ->  1031  TCP

1116  navapw32       ->  1035  TCP   C:\PROGRA~1\NORTON~1\navapw32.exe

788   svchost        ->  1551  TCP   C:\WINNT\system32\svchost.exe

788   svchost        ->  1553  TCP   C:\WINNT\system32\svchost.exe

788   svchost        ->  1558  TCP   C:\WINNT\system32\svchost.exe

1328  svchost        ->  1565  TCP   C:\WINNT\System32\svchost.exe

8     System         ->  1860  TCP

1580  putty          ->  3134  TCP   C:\WINNT\putty.exe

772   WinVNC         ->  5800  TCP   C:\Program Files\TightVNC\WinVNC.exe

772   WinVNC         ->  5900  TCP   C:\Program Files\TightVNC\WinVNC.exe



432   svchost        ->  135   UDP   C:\WINNT\system32\svchost.exe

8     System         ->  137   UDP

8     System         ->  138   UDP

8     System         ->  445   UDP

256   lsass          ->  500   UDP   C:\WINNT\system32\lsass.exe

244   services       ->  1027  UDP   C:\WINNT\system32\services.exe

688   IEXPLORE       ->  2204  UDP   C:\Program Files\Internet Explorer\IEXPLORE.EXE

1396  IEXPLORE       ->  3104  UDP   C:\Program Files\Internet Explorer\IEXPLORE.EXE

256   lsass          ->  4500  UDP   C:\WINNT\system32\lsass.exe

Notice that there are some processes listed—such as navapw32 , putty , and IEXPLORE —that don't appear to be services. These show up in the output because FPort lists all open ports, not just opened ports that are listening.

While FPort is not as powerful as some of the commands available under other operating systems, it is still a valuable , quick, and easy-to-use tool that is a great addition to Windows.

Hack 24 Enable Auditing

Log suspicious activity to help spot intrusions .

Windows 2000 includes some very powerful auditing features, but unfortunately they are all disabled by default. Windows 2003 has corrected this by enabling some features by default, but it is still wise to check that you are tracking precisely what you want to audit. Using these capabilities, you can monitor failed logins, account management events, file access, privilege use, and more. You can also log security policy changes as well as system events.

To enable auditing in any one of these areas, locate and double-click the Administrative Tools icon in the Control Panel. Now find and double-click the Local Security Policy icon. Expand the Local Policies tree node, and you should see something similar to Figure 2-1.

Figure 2-1. Audit Policy settings in the Local Security Settings applet

Now you can go through each of the audit policies and check whether to log successes or failures for each type. You can do this by double-clicking the policy you wish to modify, located in the right pane of the window. After double-clicking, you should see a dialog similar to Figure 2-2.

Figure 2-2. The "Audit logon events" dialog

Leaving auditing off is akin to not logging anything at all, so you should enable auditing for all policies. Once you've enabled auditing for a particular policy, you should begin to see entries in the event logs for when a particular audit event occurs. For example, once you have enabled logon event auditing, you should begin to see entries for logon successes and failures in the system's security event log.