One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?" Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program. The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious. Let's take a look at port enumeration in general, then review 11 Windows port enumerators.
TCP/UDP Tutorial
To investigate ports, you need to know a little bit about TCP/IP and network connections. Today, most computers use the TCP/IP network protocol to communicate. TCP/IP's two main upper-layer (Open System Interconnection—OSI—Layer 4) transport protocols are TCP and UDP. One of these two protocols is typically responsible for sending information that travels between two computers (or between two processes on the same computer). Both TCP and UDP rely on the lower-level IP protocol to route packets from one computer to another. An IP packet header contains the source and destination IP addresses (or multicast or broadcast addresses, when appropriate) of the two computers and the protocol number (i.e., 6 for TCP or 17 for UDP), among other bits of information. The lower-layer protocol, IP, routes the packet from the source to the destination over the logical network. When the packet arrives at its eventual destination, the IP stack associated with the NIC removes the IP packet frame and inspects the upper-level protocol (i.e., TCP or UDP). For information about the differences between TCP and UDP, see the Web-exclusive sidebar, "UDP vs. TCP," http://www.secadministrator.com, InstantDoc ID 40315. . . .
Register
