RE: looking for tool to find open ports and domains

[JGrimshaw () ASAP com]

I actually have a good use for this as well; I am considering setting up a 
wireless AP and placing it in its own DMZ on a firewall (in addition to 
other AP security that goes beyond this discussion). 

Ideally, I would like to identify all of the ports used, so that I would 
be convenienced by using a "deny IP any any" at the end of the 
access-list, after having permitting what I see as feasible... Blocking 
only what I know to be bad is like trying to manually block websites that 
I know to be bad.  It would be endless!  I was hoping someone would have a 
good reply to this--finding out what ports are running on all machines 
would make this project so much easier!

For example, I do not want our wireless users using FTP--none of the 
people that will use wireless will have a reason to use FTP, so I know not 
to permit ports 20 and 21.

And I can permit all of the Windows server ports--and web and other well 
known ports that I deem fit.  But the list of all KNOWN ports is in the 
thousands.  I can pick and choose, but ultimately I would be wrong in my 
selections.  1% error in 10000 ports is still 100 ports blocked that I 
shouldn't have...  That doesn't seem feasible given all of the fluff out 
there, but I believe that anything that will go wrong in IT... will go 
wrong in IT.

So as far as that goes, the only method I have to figure this out is to 
sniff the network, filter out to show only TCP and UDP packets, and then 
log many hours worth and hope to cover all of the bases before I give up 
looking at hundreds of megs of TCP and UDP captures, looking only for 
ports... aside from the Windows and well knowns I already know.

I looked at the Active Ports someone mentioned, but the website didn't say 
it could log to a file, or run silently.  Ultimately, I would like to run 
a script or policy on all machines that logs their port usage for a few 
days,updating their info to a fileshare somewhere.  Does anyone know a 
program that offers a logging utility that would allow for this--for 
Windows? 

Net Stat comes with Windows, but does not offer (to my knowledge) a way to 
actually log what comes up, or log intermittently to grab a snapshot at 
various points throughout the day. It's either that instant, or 
continuously, both without logging.

There were a few others that I read about in the review of Active Ports -- 
Port Explorer and Socket Port Owner, but the former is too much data (it 
is a sniffer) and the latter is just a graphic net stat.

I would like to think that other people would have a use for this as well. 
 Do you have a VPN that is behind a firewall?  What ports do you permit on 
its interface?  It would be a very similar thing--after people connect via 
their tunnel, they are on a device in a DMZ--what is allowed through? 
Everything?  Only Windows?  Something in between?  I'm looking for the 
same functionality as that, so I guess this is a dual pronged question:

Is anyone willing to share what ports (or what they did to map those 
ports) that would be used on a VPN connection that is filtered by a 
firewall (that doesn't permit everything!), and failing that, does anyone 
have software to map the ports used by endusers that can also log to a 
file? 





"Michael Chilcott" <michael_chilcott () emoryhealthcare org> 
05/09/2004 06:39 AM

To
<randallm () fidmail com>
cc
<security-basics () securityfocus com>
Subject
RE: looking for tool to find open ports and domains






Well, okay I guess I should have better explained what we have. We own a 
class "C" network, and its broken into segments. Using Windows O/S these 
users can setup their PCs to belong to a different domain (ie; workgroup). 
We would like to identify all the different domains, change them to our 
single domain, and able to push domain, group and local policies. More or 
less - remove the rouge domains.

Thanks,
Mike

> > > "RandallM" <randallm () fidmail com> 05/07/04 20:07 PM >>>
Well gosh darn Mike, I can save you time. In your own words you told us:

"I am looking for a way to scan for specific ports on all the PC's in our
network." 

Then you asked:

"I would like to know what domain these PCS belong too"

Therefore "they" must be on YOUR domain, right!? I mean after all you 
would
not be referring to just "random" scans, right?

As far as "open" ports, nmap and nessus do just that with the proper 
switch
options. As far as "what domain" a computer is on, a user in "your" 
network
would sure enough call you with a "I can't get to my folders" because they
did not or could not log on to your "network".

Another great tool for ports and exploits on "your network" are the
"Microsoft Baseline Security Analyzer"(www.microsoft.com)and the 
"BlackCode
Port Scanner" found at www.blackcode.com 

thank you
Randall M
 
<|>-----Original Message-----
<|>From: Michael Chilcott [mailto:michael_chilcott () emoryhealthcare org]
<|>Sent: Friday, May 07, 2004 10:07 AM
<|>To: security-basics () securityfocus com
<|>Subject: looking for tool to find open ports and domains
<|>
<|>I am looking for a way to scan for specific ports on all the PC's in 
our
<|>network. Also in this scan I would like to know what domain these PCS
<|>belong too. I have tried Nessus, nmap, and superscanner; and they 
produce
<|>great reports on the ports open, and way too much information about the
<|>machine.  Does anyone know any easy way to just get the port numbers
<|>open, and what domain the PC belongs to? Maybe I used the right tool, 
but
<|>not configured correctly...
<|>
<|>Thanks,
<|>Mike




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 

any course! All of our class sizes are guaranteed to be 10 students or 
less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the 
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------