When security scanners (or hackers) look for vulnerable ports on Windows PCs and other computers, they'll often perform port scans. These may target only well-known ports, or those for which vulnerabilities exist, or may work their way through the entire range of valid UDP and TCP port addresses (0 through 65,535, which tells those with "binary sophistication" that port addresses are 16 bits in length).
System or network admins seeking to foil such scans, or to check port status on exposed machines, can get quick, accurate help from the Windows command line utility named netstat (for great detail on this utility, see the Windows netstat reference page online). Use the command netstat –an to produce a listing of TCP and UDP ports that have been used or are active or in "listening" status on a Windows computer (this command works with all modern Windows versions, the listing that follows came from a Windows XP machine, with SP2 and all current security updates, patches, and fixes installed).
Listing 1: Typical netstat –an output
C:\>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING TCP 127.0.0.1:1039 0.0.0.0:0 LISTENING TCP 172.16.1.108:139 0.0.0.0:0 LISTENING TCP 172.16.1.108:3023 172.16.1.33:139 ESTABLISHED TCP 172.16.1.108:3061 172.16.1.17:139 ESTABLISHED UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:1042 *:* UDP 0.0.0.0:2846 *:* UDP 0.0.0.0:4500 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1036 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:2972 *:* UDP 127.0.0.1:3548 *:* UDP 172.16.1.108:123 *:* UDP 172.16.1.108:137 *:* UDP 172.16.1.108:138 *:* UDP 172.16.1.108:1900 *:*
If a port is in the LISTENING state this means the PC is waiting for an incoming connection on that port. If it's in the ESTABLISHED state, there's an active connection on that port up and running. But even for UDP (which doesn't carry state information), all recently accessed port numbers will show up in this output.
Why does this matter? Because it provides a complete and succinct list of all the ports this computer has used since the last time it booted up. This means you need check only these ports externally to make sure they're not open to any and all comers (or scanners) to see if that machine is secure or otherwise. You can use the custom port probe available through Steve Gibson's "Shields UP!" facility at http://grc.com to check these ports quicky and easily. Here's how:
- look for and click the Shields UP! Link on his home page
- click Shields UP again
- click Proceed
- click "User Specified Custom Port Probe" on the resulting page
- enter all the port numbers that show up in the netscan output
(Note: port addresses show up to the right of the colons following the IP addresses for both TCP and UDP ports, as shown in Listing 1). This provides a quick way to see if any are open to outside scanners.
This technique works well for pretty much all Windows machines from Windows 95 to the latest releases. Use it to help drive your security scans, and you'll be well-equipped to keep scanners at bay.
Ed Tittel is a full-time freelance writer, trainer, and consultant who specializes in matters related to information security, markup languages, and networking technologies. He's a regular contributor to numerous TechTarget Web sites, technology editor for Certification Magazine, and writes an e-mail newsletter for CramSession called "Must Know News."