Using
the tool I have already outlined in previous article, you have access to a
great deal of information about the ports in use on a system. There are
however, some additional tools that allow you to obtained more specific
information about port in use and the9ir state, as well as about the flow of
information in and out of those ports. Some of these tools also allow you to
link listening port to its application.
NetStat Live
One
of the most popular protocol monitors is NetStat, which is on free ships with
Microsoft Windows. A version of this, NetStat Live (NSL), which is freely
available on the Internet, is a small, easy-to-use TCP/IP protocol monitor that
can be used to see the exact throughput on both incoming and outgoing data
whether you are using a modem, DSL or even a local network. It allows you see
the speed at which your data goes from your computer to another computer on the
Internet. It will even tell you how many other computers your data must go
through to get to its destination. It also graphs the CPU usage of the NSL
system. This can be especially useful if, for example, you are experiencing
slow connection speeds. It can identify whether your computer is the reason for
the slow down or if it is you Internet connection.
After
you download and install the program, you simply run it. When the program
launches.
It
displays the last 60 seconds of display data. It shows the average data rate,
the total amount of data sent after the last reboot, and the maximum data rate.
It tracks all incoming and outgoing messages. Default display window, but this
window can be customized to display what you want, but this window can be
customized to show exactly what you want. To enable or disable a pane, simply
right – click on the window, choose Statistics and then place a check next to
any statistics that you would like to see. Your choices are:
Ø
Local
Machine. Monitoring current machine name, IP address and network interface.
Ø
Remote
Machine. The remote machine, including average ping time and number of hops.
Ø
Incoming
Data. Data on the incoming (Download) channel.
Ø
Incoming
Totals. Total for the incoming data.
Ø
Outgoing
Data. Data on the outgoing (upload) channel
Ø
Outgoing
Totals. Totals for the outgoing data.
Ø
System
Threads. Total number of threads currently running in the system.
Ø
CPU
Usage. Graphs the CPU load.
Notice
that a machine is listed in the remote section and some information about it.
You can easily change the server you are collecting information for. Simply
open your Web browser, go to a Web page and copy the URL (including the
http://) into the clipboard by using Ctrl + C). Notice that a machine is listed
in the remote section and some information about it. You can easily change the
server you are collecting information for.
In
addition to adjusting the display, NSL can also9 be configured to operate in
several different ways from the Configure dialog box. To access the Configure
options, right-click on the NSL display and choose the configuration as your
demand.
From
this dialog box, you can configure the program in many ways. Your configuration
option are:
Ø
Auto
Minimize. If enabled, when NSL start up, it will automatically show up in the
system tray instead of as a window on the screen.
Ø
Auto
Start. If enabled, NSL will automatically run time you reboot your machine.
(this is good to use with Auto Minimize option).
Ø
Always
on Top. If enabled, the NSL dialog box will always be on top of other windows.
This allows you to see the information no matter what else is on the screen.
Ø
URL
ClipCap. If enabled, NetStat will scan Windows clipboard for URL and if it
finds one, will automatically ping/traceroute it.
Ø
Close
Minimize. If enabled, pressing the Close button doesnot actually close NSL, but
rather minimizes it to the system tray.
Ø
TCP/IP
Interface. This drop-down list allows you to select from the TCP/IP interface
currently available or to monitor. All available interfaces (if a specific
interface can not be found, it defaults back to all.)
Ø
Displays
values in. this drop-down list allows you to select whether or not the values
are displayed in bits or bytes (the default).
NetStat
Live tracks all network activity. This means that you can see how quickly data
moves across the local network (as long as you are using TCP/IP) as well as to
and from remote sites. Additionally, this means that when used on a modern connection,
you will see the actual throughput and not just what the dial-up networking
adapter or modem says it is doing. This allows you to see exactly what kind of
performance you are getting while you are browsing around Web page.
Active Ports
Active
Ports is another easy-to-use tool for Windows. Through it you will enable to
monitor all open TCP and UDP ports on the your local computer. Active Ports
maps ports to the owning application so that you can watch which process has
opened which port. It also displays a local and remote IP address for each
connection and allows you to terminate the owning process. Active Ports can
help you detect Trojan horses and other malicious programs.
Like
so many of these types of programs, Active Ports is available as free download
from many sites on the Internet.
Fport
Like
Active Ports, fport reports all open TCP/IP and UDP ports and maps them to the
owning application. Additionally, it maps those ports to running processes.
Fport can used to quickly identify unknown open ports and their associated
application.
TCPView
TCPView
is a Windows program that will show you detailed listings of all TCP & UDP
endpoints on your system, including the remote addresses and the state of TCP
connections. TCPView provide a conveniently presented subset of the Netstat
program.
In-Depth Searches
Port
scanners and other types of scanners can only tell you so much about a target
system. At some point, you will probably have taken your investigation to a
deeper level. For example, if you find out that particular server is running
IIS 5.0, that discovery probably means the company has Windows 2000. If you
then uncover default shared folders and default registry settings, you know
that the system is probably entirely set up with default settings. It is also
less likely that this system is routinely patched and updated because a
security-conscious administrator would not have left default setting in the
first place. Your next step is to scan the Internet using various search
engines (e.g. www.yahoo.com, www.google.com, www.lycos.com)
to find out whether there are any known vulnerabilities with the target system
and its configuration. There is a good chance that someone has actually
documented the specific vulnerabilities and how these faults can be exploited. Once
you have studied the potential vulnerabilities in a target system, yu can take
one of several actions, depending on your role in the investigation.
1.
If
you are a system administrator, you must correct those vulnerabilities
promptly.
2.
If
you are a “sneaker” (or an “ethical” white hat hacker), you would document what
you have found to then report to your client.
3.
If
you are a cracker, you can use this information to select the most appropriate
way to compromise the target system. However, be aware that such activities are
illegal and can culminate in severe civil penalties, including a prison
sentences.
Web
search and newsgroup searches (you can use Google’s “groups” tab for this task)
can also provide other interesting information about it site. You will often be
able to find details about a company, such as its key personnel and ISP. There are
several ways to use this information. For example, if you find that a company
has a high turnover in its systems department (for example, you see the same
job posted frequently, indicating rapid turnover), then it is less likely that
the system is as secure as it should be. Or, if you see that one company is
being bought out by another, this event might lead to some confusion in the two
companies’ IT departments as they try to merge. This information can help you
identify other vulnerabilities in a target system.