Open Port Query

(imported topic written by intrepdmind91)

Hello,

I’m wondering if it’s possible to do two things with a BES Retrieved Property:

  1. Query port status: i.e. create a property that will report the status of port 135 as open/closed on windows machines.

  2. Create a property that will report if File and Printer sharing is enabled

Any ideas?

Thank you so much in advance~

(imported comment written by BenKus)

Hi intrepdmind,

  1. We don’t have a built-in port inspector, but you could do something like this:

Create a Task with the action:

waithidden cmd.exe /C netstat > “{pathname of parent folder of regapp “BESClient.exe”}\netstat.log”

Set the Task to run periodically (perhaps once per day?)

Make a property with the relevance:

exists line whose (it contains “TCP” AND it contains “0.0.0.0:135” AND it contains “LISTENING”) of file “netstat.log” of parent folder of regapp “besclient.exe”

  1. I couldn’t see any obvious way to do this… anyone know a reg key or wmi value that reflects this setting?

Ben

(imported comment written by tratz91)

Similar to the netstat process Ben mentions, there are several other good (free) tools available that accomplish the same thing with more useful output - depending on what you are looking for. For example, fport produces the following:

Pid Process Port Proto Path

392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe

8 System -> 139 TCP

8 System -> 445 TCP

508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe

392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe

8 System -> 137 UDP

8 System -> 138 UDP

8 System -> 445 UDP

224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe

212 services -> 1026 UDP C:\WINNT\system32\services.exe

Usage:

/? usage help

/p sort by port

/a sort by application

/i sort by pid

/ap sort by application path

Known the what ports are listening is one thing. Knowing what process and specific executable is listening on that port is another.

Making a property that inspects fport’s output and captures all the output variables could make for some very cool IDS functionality, service management, etc.

I hope this helps.

Tom

(imported comment written by intrepdmind91)

These are both really fantastic ideas. I really appreciate the extra advice, tratz, and will definitely give your idea a shot. I thought this one might be a bit flakey :slight_smile:

Maybe a port inspector might be a possible idea for future release?

(imported comment written by BenKus)

I swore I filed this request 3 years ago, but I couldn’t find it… Re-filed as request #26165

Ben

(imported comment written by BenKus)

Aha… found the original request #5068… it was almost 6 years ago…

“Opened: 2003-12-15 11:19”

Our problem these days at BigFix is that we have too many interesting things we want to create and it is so hard to prioritize what to do next… Some requests get starved… :slight_smile:

Ben

(imported comment written by JasonO91)

Just a little example with open ports.

I have included a task to run netstat -an on Windows and all flavors of Unix.

I’ve also included an example of an analysis that works on both Windows and Unix.

It’s nothing fancy, but much easier than creating your own tasks/analysis.

Jason

(imported comment written by JasonO91)

Here’s the Windows Task.

(imported comment written by JasonO91)

Here’s the Unix task.