Notifications
Clear all

Ports analyser

6 Posts
3 Users
0 Likes
407 Views
(@psycko)
Posts: 16
Active Member
Topic starter
 

Hello
I would like to know if there is a program/script able to analyse
the ports opened on a computer when you do a netstat
and showed the corresponding service/trojan running

Regards

Psy

 
Posted : 13/03/2006 3:49 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

psycko…

What do you mean "analyze"? On XP and above, you can do a netstat and get the PID of the process using that port. Maybe if you could tell us what you're looking for…

Harlan

 
Posted : 13/03/2006 4:55 pm
(@psycko)
Posts: 16
Active Member
Topic starter
 

Thanks Harlan
In fact, when you do a netstat or fport , you have some information like protocol, local ip , distante ip, state and pid and you have the port used by process so I thought for a program/script able to indicate for example port 21=ftp , port 22 = ssh, 109=pop , port X = Trojan XXX
This could be a way to identify known and suspect processes.
A kind of "live" ports'database

Regards

Psy

 
Posted : 13/03/2006 5:41 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Psy,

This sort of thing is out there, but I don't recommend the use of them.

First off, a static ports database doesn't really constitute "analysis".

Second, trojans are configurable…many, very much so. In my incident response course, I "infect" systems with a netcat listener (I rename nc.exe to inetinfo.exe) bound to port 80. That alone makes the ports database useless.

I'd recommend a process of examining the executable; for example when you run openports.exe and get the path to the executable, "c\windows\system32\svchost.exe" is legitimate (assuming WFP hasn't been mucked with…) while "c\windows\temp\svchost.exe" may not be. Another way to analyze the svchost.exe (or any other legit file) is to hash it, and to see what the file version info says.

Also, consider using nmap.exe to do service identification.

hope that helps,

Harlan

 
Posted : 13/03/2006 6:22 pm
(@fatrabbit)
Posts: 132
Estimable Member
 

Like Harlan suggested Nmap is worth a look. It has a database of port fingerprints that identifies services, including trojans, and it gets updated regularly. As pointed out by Harlan the database will not contain an exhaustive list of all the contemporary, reconfigured versions of all trojans, but it is a good resource.

 
Posted : 14/03/2006 2:59 pm
(@psycko)
Posts: 16
Active Member
Topic starter
 

Ok thanks for the answers
nmap seems to be the right tool
I am going to try it as soon as possible

Regards

Psy

 
Posted : 14/03/2006 8:14 pm
Share: