One of the most frequently fielded questions among security analysts is, "Do I have a Trojan-horse program if I've found a port open on my computer?" Variations of this question litter security mailing lists, but the answer is always the same: Trace the port number to the program that's opening the port, and investigate the program. The process of tracing an open port to its causative agent is called port enumeration (or port mapping). Of course, the answer assumes that you have an adequate understanding of port numbers, a good port-enumeration tool, and the ability to research whether the found program is malicious. Let's take a look at port enumeration in general, then review 11 Windows port enumerators.
To investigate ports, you need to know a little bit about TCP/IP and network connections. Today, most computers use the TCP/IP network protocol to communicate. TCP/IP's two main upper-layer (Open System Interconnection—OSI—Layer 4) transport protocols are TCP and UDP. One of these two protocols is typically responsible for sending information that travels between two computers (or between two processes on the same computer). Both TCP and UDP rely on the lower-level IP protocol to route packets from one computer to another. An IP packet header contains the source and destination IP addresses (or multicast or broadcast addresses, when appropriate) of the two computers and the protocol number (i.e., 6 for TCP or 17 for UDP), among other bits of information. The lower-layer protocol, IP, routes the packet from the source to the destination over the logical network. When the packet arrives at its eventual destination, the IP stack associated with the NIC removes the IP packet frame and inspects the upper-level protocol (i.e., TCP or UDP). For information about the differences between TCP and UDP, see the Web-exclusive sidebar, "UDP vs. TCP," http://www.secadministrator.com, InstantDoc ID 40315.
A Lesson in Ports
TCP and UDP packets contain source and destination port numbers. A port is a network I/O opening into an application (or service or daemon). Ports are numbered from 0 to 65,535. The reason for that numbering scheme is that TCP and UDP packet headers permit 16 bits (216) for both the source and destination port numbers (216 equals 65,536 possible port numbers). Numbering I/O openings is a handy way for computers and users to keep track of which port belongs to what program.
Early in the Internet's history, the Internet Assigned Numbers Authority (IANA) decided to reserve the first 1024 port numbers (i.e., 0 to 1023) for requesting entities. The IANA assigns these so-called well-known port numbers. (See Table 1 for some common well-known port numbers.) Although most lists of well-known port numbers are now old and not 100 percent accurate, popular port numbers for the most widespread protocol services have remained unchanged for over a decade.
Port numbers 1024 through 49,151 are called registered port numbers, and ports 49,152 through 65,535 are called dynamic or private port numbers. In practice, ports 1024 through 65,535 are dynamically generated, and any application can use them. When an application or service starts, it typically checks whether it can use a particular port number, and if that port number isn't already taken, it opens the port. The port numbers that an application opens might always be the same, or they might be randomly generated. The more popular the application, the more likely that Internet software developers will let the program use an exclusive port number. Table 2 lists some sample port numbers for popular applications, and Table 3 lists common Windows port numbers.
Understanding the difference between source and destination port numbers is essential. In most cases, when you look at port traffic, you're concerned with destination port numbers. Destination traffic typically goes to a well- known port, whereas origination (aka source) ports can be any randomly generated number above 1023. In practice, however, the randomly generated port number falls between 1024 and 3000. For example, when you use Microsoft Internet Explorer (IE) to connect to a Web site, the destination port number is 80, whereas the origination port is randomly generated. Figure 1 shows a sample session that started when I browsed to http://www.secadministrator.com. The destination IP address is 220.127.116.11, and the port number is TCP 80. The origination IP address is 192.168.168.160, and the port number is TCP 2335.
The 192.168.168.160 private IP address is present because my PC sits behind a firewall, which connects to the Internet with its public IP address. Each browser connection or refresh generates a new (typically higher) source port number. Also, because a Web page might have embedded links and advertisements hosted on other Web sites, one browser page might have a multitude of open port connections, all pointing to the same IP address or to different IP addresses.
The Svchost Mystery
Windows 2000 and later also open many other ports (e.g., 500, 123) that are assigned to a service called svchost.exe. This generic host process resides in the \%windir%\system32 folder. It starts anytime Windows starts and loads into memory one or more services as defined in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost registry subkey.
Often when you port enumerate, you'll find that svchost.exe is responsible for several separate port openings. For example, as I write this article, svchost.exe is loaded four times in my computer's memory; is hosting the RPCSS, EventSystem, Netman, NtmsSvc, RasMan, SENS, and TapiSrv services; and has ports 123, 135, 1025, 1026, 1900, and 5000 open. When you're searching for malicious software (malware), you can take comfort in knowing that the ports attached to svchost.exe aren't open for intentional malicious use. Of course, external attacks against those ports (e.g., remote procedure call—RPC—attacks against port 135) aren't out of the question.
Like software that uses well-known ports and common Windows ports, Trojan-horse programs also have common port numbers. Unfortunately, hundreds of popular Trojan horses exist—too many to list in this article. However, if you plan to use a port enumerator to search out malicious code, you should have a Trojan-horse port list handy in case you come across unrecognized ports. For a collection of Web sites that provide good Trojan-horse port lists, see the sidebar, "Trojan-Horse Port Resources."
Because port numbers above 1023 aren't officially assigned, any program can use them. Most of the time, programs use ports on a first come, first served basis. Therefore, if a developer uses a popular program's port number for a new program, the new program might not function correctly. Two programs can feasibly share the same port at the same time, but they can conflict with each other if they aren't correctly coded. If two applications use the same port, TCP and UDP can get confused and cause network-communication problems. However, some programs—including malware programs—have been known to insert themselves into a computer system in such a way that they can share the same port as another program.
Port 80 is a big exception to the rule that says two programs shouldn't share a port number. Port 80 is open on most firewalls to permit clients to browse the Web. Many programs piggyback their traffic across port 80 so that it can skirt the firewall. For example, many Instant Messaging (IM) programs automatically send their traffic over port 80 (using the HTTP protocol) if their default ports are blocked. These programs can even contain subroutines that scan firewalls, searching for open outgoing ports that they can use.
All Windows versions beginning with Windows 95 (and including Windows 3.11 with the Microsoft TCP/IP 32 add-in) offer a good TCP/IP utility called Netstat, which has been around (for both Windows and UNIX) since the early days of the Internet. You can use Netstat to determine which UDP and TCP ports are open and active. (For more information about Netstat, see the Web-exclusive sidebar "The Art of Interpreting Netstat," InstantDoc ID 40316.) In Windows Server 2003 and Windows XP, you can use Netstat to view open ports and their related programs (i.e., to perform port enumeration).
To use Netstat, you must first open a command prompt by choosing Start, Run. Type
and press Enter. You can use the Netstat -? command to view a list of Netstat parameters, but for the purposes of this article, type
where the -a parameter displays active connections, the -n parameter shows the connections with IP addresses and port numbers instead of names, and the -o parameter shows the process identifier (PID) of the application that owns the port.
If you don't use the -n parameter, you'll see the domain names of the computers you're connected to. Netstat -ao renames port numbers to their common application or service names—a function that isn't always accurate (e.g., any traffic using port 80 is called HTTP even if it contains non-HTTP content). Netstat -ao also renames all the local IP addresses according to the local machine's NetBIOS name. Without the -n parameter, you won't be able to determine which interface the program is listening on. Run Netstat -ao only when you need to know what the remote computer is called (e.g., www.yahoo.com). If you're using a Windows version earlier than XP, the -o parameter won't work and you won't be able to use Netstat to see which programs are using what ports.
Figure 2 shows the output of the Netstat -ano command on my computer. The command displays five columns of information. The first column lists the network protocols, displaying all TCP connections first. The second column lists the connection's local IP address and port number. The third column lists the destination IP address and port number. If a port number isn't yet established, the column displays an asterisk (*). The fourth column lists the TCP port states. The ESTABLISHED, LISTENING, and SYN_SENT states are open and active sessions; every other state is not. UDP ports don't have states listed because UDP is stateless. Table 4 shows the various Netstat states. (In the table, the server is the local program or service that owns the port.)
The fifth column of Netstat's output lists the PID of the process that opened the port. Through Task Manager, you can connect this information to the related program or service. If you're new to using Task Manager to examine PIDs, you'll need to add a PID column to the Task Manager view. To do so, press Ctrl+Alt+Del to bring up Task Manager. Go to Task Manager's Processes tab, then click View, Select Columns. Select the PID (Process Identifier) check box and click OK. Task Manager will now show the PID next to the owning program (Image Name), as Figure 3 shows. To match the port PIDs to the process names, you can switch between the Netstat screen and Task Manager.
Netstat -ano is a decent port enumerator but has several deficiencies. It works only on Windows 2003 and XP machines, and it requires that you flip between two screens to connect ports with programs. Netstat can be painfully slow on machines that have a lot of open ports, and it isn't as accurate as some of its competitors. Netstat is a command-line program that doesn't offer a user-friendly GUI, and it doesn't provide real-time output; you have to run it each time you want a port update. Finally, Netstat doesn't show the remote IP address and port numbers (aka endpoints) connected to active UDP ports.
Because of these problems, many people turn to third-party port enumerators. Let's take a look at the available third-party port enumerators. In the following sections, I choose some favorites and also let you know which ones to avoid.
Third-Party Port Enumerators
Many free and commercial port enumerators are available, both as command-line programs and as professional-looking GUI tools. I tested 10 such tools on a Win2K Professional machine, running the default set of services and ports (i.e., 135, 137, 138, 139, 445, and 500) that you would typically find on a brand-new installation.
To mimic Trojan horses that use unprintable characters in their name (to avoid port-enumeration listing), I went to great lengths to make the Telnet Server service name invisible. Malicious intruders, using this type of trick, hope that administrators looking at a long list of processes will just see an empty space and not investigate further. Making the Telnet Server service invisible took some work. First, using a bunch of ASCII hexadecimal character 32s for the filename (ASCII 32h is the space character), I renamed tlntsvr.exe to .exe. Then, I modified the registry to start the newly named file in place of the usual service name when Windows starts.
I also executed two common Trojan horses, Back Orifice 2000 (BO2K) and NetBus, to generate malicious open ports. I wanted to see whether any of the products would judge the Trojan horses as suspicious—at least one product (Port Explorer) did. I made sure the same applications and processes were running for all the tests. In total, I had 14 active TCP processes and 7 UDP processes running. Then, I fired up each product to see how it fared.
Active Network Monitor
SmartLine's Active Network Monitor ($30) is a simple, mostly effective port mapper. The tool's installation is easy and doesn't require a reboot. Its main GUI screen has few features, but the tool is stable and effective. Active Network Monitor gives you the basics: PIDs; local and remote IP addresses and ports; protocols; and program names, including paths. The tool can export the process list to an external .txt, .csv, comma-delimited, or tab-delimited file. To draw attention to new port uses, the utility uses colored bars to highlight new activity. Active Network Monitor also lets you terminate processes. One small annoyance is the tool's default Always on Top setting. The setting is easy to deselect, but it's bothersome.
Port Traffic Analyzer
Atelier Web's Port Traffic Analyzer ($32.50) was once one of my favorite port enumerators. It was one of the first graphical port enumerators and was easy to install and use. Unfortunately, when I installed the current version, installation seemed to go smoothly on my test machine, but Port Traffic Analyzer failed to log any activity. I uninstalled and reinstalled the product a few times and tried rebooting, to no avail. At Atelier's Web site, the first and largest part of the FAQ section documents installation problems. Apparently, the tool's use of Microsoft's Layer Service Provider (LSP) API to collect information has caused problems for many users. Technical support is available only over the Web but provided quick response. As much as I've admired this port enumerator in the past, its common installation problems make it difficult to review and recommend.
Foundstone's Fport (free) is probably the most recommended command-line port mapper in the business. It's a solid, small-footprint, command-line port enumerator that you can install quickly. Fport lists PIDs, process names, local port numbers, protocols, process executables, and paths. Although many people heap praise on this utility, it lacks key features. For example, it doesn't list local IP addresses, it doesn't give you remote IP addresses and port numbers, and it gives no indication of state or ongoing activity. I used a BO2K Trojan-horse client from a remote computer to connect to my computer, yet Fport didn't show any of that activity. I've also seen Fport miss certain open ports in the past. Fport was once a worthy sidekick, but after seeing some of the competition, I'll probably use another product for future investigations.
The most impressive aspect of NTSecurity.nu's Inzider (free) is its easy uninstallation. I experienced problems the moment I started this utility. The GUI appeared to be a graphical representation of a DOS command-line box. When I executed the utility, my system immediately became slow, and I thought the machine had locked up. However, after a few minutes, Inzider started listing processes on the screen. Unfortunately, the first process it listed didn't have a network port open, and it listed only the PID and process name and path. If a port number or IP address was forthcoming, I never saw it. After 5 minutes, Inzider had revealed only two processes, so I ended the execution.
The sluggishness is apparently due to the unique way Inzider lists processes—a technique called DLL injection. For good reason, no other port mappers use this technique. Even Inzider's author notes in his documentation that the program is unstable. He also mentions that Inzider can't check on processes that started as services. Therefore, this solution is more like a nonsolution.
Delta Design UK's Net-Scope ($12.98) is another noncontender. In my tests, it listed many processes that weren't programs with network connections. The tool missed a few programs that opened ports, falsely reported other programs that didn't open ports, and reported inaccurately about port use. For example, although in my tests, Net-Scope showed IE as having an open port, it listed both source and destination IP addresses as 127.0.0.1. Net-Scope didn't show the active connection and remote IP address of the IE connection to http://www.google.com. The GUI doesn't show much initially. To obtain detailed information about a process, you must double-click the process and wait for results to appear in the GUI's bottom half. Often, correct results never come. The free trial version comes with 15 uses, but it considers each screen refresh as a use, so my free trial was spent very quickly.
Diamond Computer Systems' (DiamondCS's) Port Explorer ($40) is easily the best product in this comparative review. It has an impressively designed GUI, is easy to install, is quite stable, produces a large amount of useful information without requiring you to dig, comes with a set of forensics tools, and highlights bad programs. If Port Explorer determines that a program is acting strangely, the tool marks the program's port in red. In my tests, the tool marked both the BO2K and NetBus Trojan-horse ports. After you install Port Explorer for the first time, it displays its Help file—a nice touch. It's the only port mapper to have its own discussion board, and its developers seem dedicated to making Port Explorer the best product in its class.
Apparently, Port Explorer uses as many as five separate methods—SNMP, LSP, an undocumented Transport Driver Interface (TDI) technique, and documented and undocumented IPHelper techniques—for tracking and identifying processes. In my testing, Port Explorer was the most accurate tool and was one of only two port mappers to display the remote IP address and port number of UPD connections on screen and in a log file.
Port Explorer provides real-time port-traffic updates, but you can instruct Port Explorer to pause so that the view is static. Also, the tool saves all activity to a local file that you can view from the GUI. I placed Port Explorer under a heavy load that would typically cause Netstat to slow to a crawl or die, and without hesitation, Port Explorer showed every port as it started up.
Port Explorer's GUI and operations are customizable. You can instruct Port Explorer to show you the filename or the full file path of the program that owns the port. The latter option is beneficial if you're trying to ferret out an evasive program. The main screen contains several columns of information that you can sort with a mouse click at the top of the sort column, and you can drag and drop columns to different areas of the screen without stopping the program. Tabs across the top of the main screen provide several methods for viewing activity. You can customize colors, refresh rates, and even the language. Port Explorer offers eight language choices—it's the only port enumerator to do so besides Netstat. The tool can also display network statistics.
Port Explorer offers several diagnostics and forensics utilities to help track the remote computer. Tools include Ping, Lookup, Whois, Traceroute, and even a packet sniffer called Socket Spy. By typing in PIDs, you can instruct Socket Spy to capture packet information on local programs. You can also kill any process that Port Explorer sees. Without a doubt, Port Explorer is the fastest, most stable, and most impressive port enumerator that I tested.
DiamondCS recently released a command-line utility called OpenPorts, which is free for home and educational use. The tool functions similarly to Fport; in fact, you can use an -fport command-line switch to mimic Fport's output. (OpenPorts also offers a -netstat output switch.) Interestingly, in its default mode, OpenPorts lists ports sorted by process name—a helpful feature that lets you see all the ports (TCP and UDP) associated with a particular program. Imagine the usefulness of this feature if your browser connects to a Web site that has links from 15 other sites and each one opens a different port. OpenPorts lists the process name (but not the path), local IP address and port number, remote IP address and port number, and state. The tool can also export to three file formats. Because it reports remote IP address, remote port number, and state, OpenPorts is a more effective free utility than Fport.
Socket Port Owner
FlyYa Software's Socket Port Owner ($14.99) barely beats Fport in the amount of useful information it offers. Its simple GUI reminds me of Active Network Monitor's main screen. Socket Port Owner shows PID, executable path, local and remote IP addresses and ports, and protocols. Strangely, the tool contains a column called Remote Location, which wrongly marked my private IP address as residing in Holland (although this glitch might be only in the demonstration version). Another column, called Listen, contains only a yes or no value—not exactly the best state information. Finally, Socket Port Owner offers no Help file.
Sysinternals' TCPView (free) is a no-frills product. The utility runs as one executable and features a real-time GUI that displays the right information where you need to see it. It lists process name, PID, protocol, local and remote IP address and port number, and state. By clicking a process connection, you can obtain the full path location and take steps to kill the process. New activity is color-coded for easy viewing.
A free product that delivers the basics seems hard to beat. However, in my tests, TCPView suffered from stability problems on Windows NT Server 4.0. For example, when I chose to save screen results to a text file, the program disappeared or crashed. Also, in the past, I've experienced stability problems when I've installed TCPView on NT 4.0 workstations—namely, continuous blue screen problems starting immediately after the first reboot. However, the program is stable on newer Windows platforms. Sysinternals and Wininternals Software have released a lot of high-quality free and commercial software, but use this utility at your own risk on NT.
Initially, I was going to review TCPView Pro, which is TCPView's more feature-rich commercial cousin. However, an evaluation version wasn't available for download from the company's Web site. TCPView Pro appears to be available only as part of a large Administrator's Pak (i.e., one of five utilities).
X-NetStat Professional 4.0
Although Fresh Software's X-NetStat Professional 4.0 ($20) is quickly and easily installed, it has an awkward GUI. Determining how to access specific information is difficult. The top half of the GUI lists a few connections, along with the local and remote addresses, local and remote ports, protocol, and state (which this program calls Status). At the bottom of the GUI are several boxes, each containing an open port (some UDP, some TCP). To obtain general information about what program is using the port, you must right-click one of the boxes, then choose Port Information. The whole program is buggy and awkward. The only bright side of X-NetStat Professional is its ability to perform banner-grabbing on ports, which proved occasionally useful in port identification.
At Fresh Software's Web site, I found an announcement for the release of version 5.0 in November 2002. That version hasn't yet arrived. The site also bombarded me with a flurry of pop-up ads. I assume that the developers have abandoned the product and are seeking revenue in other directions.
Ahead of the Pack
When you're searching for malware, the ability to list open TCP/IP ports with their initiating programs or services is beneficial. Netstat is limited, but it's installed on every version of Windows, which makes it always available for troubleshooting. Unfortunately, it doesn't make connecting an open port to the source program easy. On Windows 2003 and XP computers, Netstat -ano will do in a pinch—you can compare the information it provides with Task Manager's PID list. On other Windows platforms, however, you need to look for alternatives. The strongest contender in this comparative review is DiamondCS, with its GUI utility Port Explorer and its command-line tool OpenPorts. Sysinternals' TCPView is a good backup choice, if you can avoid the stability problems I experienced on NT. Foundstone's Fport is a good alternative to OpenPorts in the command-line port-enumerator field. But if you perform network security or administration for a living, you should have a copy of Port Explorer.