Solved

(200 Points) Some questions about netstat output

Posted on 2001-06-16
15
337 Views
Last Modified: 2013-12-23
The questions I have this time have many times been asked on the net, but never were answered.

The output of netstat on a NT4 box shows the following mysterious ports beeing open and in listening state:

127.0.0.1:1027
0.0.0.0:1028

This arises some questions:

? what are they good for

? is there a program to do further tracking of the NT internals to get a hint (program name, dll name, anything that helps) what service or other software is bound to those ports, or other ports in general?

? when local ports are listed, I sometimes get ports
0.0.0.0
127.0.0.1
192.168.16.100 (local IP adress) as the source adress. Now I wonder what the difference is, if there is a difference at all.

I have, like usual, already checked various Internet sources (newsgroups, ms-kb, Technet) with no success. Especially the port 1027 questionseems to be a quite common one for people dealing with firewalling, but nobody ever got any satisfactory answer.

For a complete answer of all questions, the reward is 200. I do assume that probably more than one expert contributes. Splitting points on EE is still difficult. So I rate the question 100, and either increase points or post a dummy for other contributors when accepting and grading.

...Armin
0
Comment
Question by:arminl
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 20

Expert Comment

by:Dufo G. Belski
ID: 6198323
Well, 127.0.0.1 is just the loopback address of your own computer.  That's the sum total of my knowledge on the subject! ;->
0
 
LVL 10

Expert Comment

by:tonnybrandt
ID: 6198951
Look in c:\winnt\system32\drivers\etc\services
This has some of the ports and services listed

At this page, there are further info and links regarding port assignments.
http://www.packetstorm.securify.com/papers/firewall/firewall-seen.htm
0
 
LVL 10

Expert Comment

by:tonnybrandt
ID: 6198971
Also i suggest that you do a
route print
in a dosbox.

This will show you the routing table of your computer, and how the nic's ipaddress, default gateway and loopback is connected. (Although it sometimes can be pretty tough to read if there are several adapters and dialup connections)
0
 
LVL 4

Author Comment

by:arminl
ID: 6199494
Whatever there may be listed in the services table -- that's definitely not what's bound to ports 1027 and 1028 on a NT box. With the exception of ports 135 ... 139 the services table is completely irrelevant for NT networks anyway.

...Armin
0
 
LVL 1

Expert Comment

by:jbuda
ID: 6199830
Port numbers are divided into three ranges:
The Well Known Ports are those from 0 through 1023. These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP
traffic.
The Registered Ports are those from 1024 through 49151. These are loosely bound to services, which means that while there are numerous services "bound" to these ports, these ports are likewise used for many other purposes.
For example, most systems start handing out dynamic ports starting around 1024.
The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no service should be assigned to these ports.
In reality, machines start assigning "dynamic" ports starting at 1024. We also see strangeness, such as Sun starting their RPC ports at 32768.
Where to get a more complete list of port info:
     ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
          "Assigned Numbers" RFC, the official source for port assignments.

     http://advice.networkice.com/advice/Exploits/Ports/
           Database of port numbers, hyper-linked to various exploits on those port numbers.

     /etc/services
          On UNIX systems, the file /etc/services contains a list of commonly used UNIX port number assignments. On Windows NT, this file is located in %systemroot%/system32/drivers/etc/services.

regards
jbuda
0
 
LVL 10

Expert Comment

by:tonnybrandt
ID: 6200025
Buda:
Look at my previous post. Your comment is a cut and paste from that URL.
http://www.packetstorm.securify.com/papers/firewall/firewall-seen.htm
0
 
LVL 1

Expert Comment

by:jbuda
ID: 6200719
I think it needed to be told again....

dont you agree?


jbuda
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 10

Expert Comment

by:tonnybrandt
ID: 6201003
Can't argue with that. I too think it is good and valid info for this question.

Regards
Tonny
0
 
LVL 4

Author Comment

by:arminl
ID: 6202803
Don't argue, experts.

The major points are still: what service is listening on port 1027, is there a tool to get hints which unknown service is bound to a port, and what is the difference between 0.0.0.0, 127.0.0.1 and the own IP adress in the socket listing of the netstat program.

Thanks for the info that SUN does not assign theit dynamic ports according to the RFCs as well. People usually complain about Microsoft doing things that way.

Armin
0
 
LVL 10

Expert Comment

by:tonnybrandt
ID: 6203413
From the page:
http://www.edukaty.com/halpc/sdocs/firewall_faq.html

This info about port 1027

1024 ----- Many people ask the question what this port is used for. The answer is that this is the first port number in the dynamic range of ports. Many applications don't care what port they use for a network connection, so they ask the operating system to assign the "next freely available port". In point of fact, they as for port 0, but are assigned one starting with port 1024. This means the first application on your system that requests a dynamic port will be assigned port 1024. You can test this fact by booting your computer, then in one window open a Telnet session, and in another window run "netstat -a". You will see that the Telnet application has been assigned port 1024 for its end of the connection. As more applications request more and more dynamic ports, the operating system will assign increasingly higher port numbers. Again, you can watch this effect with 'netstat' as your browse the Internet with your web browser, as each web-page requires a new connection.  
1025 ----- See port 1024.  
1026 ----- See port 1024.  
1027 ----- See port 1024.  

Tonny
0
 
LVL 5

Accepted Solution

by:
Droby10 earned 100 total points
ID: 6203421
check out the command-line utility fport from foundstone...

http://www.foundstone.com/rdlabs/tools.php?category=Forensic
0
 
LVL 1

Expert Comment

by:jbuda
ID: 6204718
I tried out the foundstone util just to see what info it gives..lots of references to system being the owner of ports but no futher detail when it comes to that.

I'll follow this thread though..curiosity killed the process..
jbuda

0
 
LVL 5

Expert Comment

by:Droby10
ID: 6204762
hmmm...it tells me exactly what process is bound to what port...it's the winnt/2k equivalent of sockstat or lsof for unix.
0
 
LVL 4

Author Comment

by:arminl
ID: 6272709
Please note that what was bothering me was not any service using the port 1027, but that the port was in LISTEN state. This means that there is a service bound to the port and ready to receive data, not a client like telnet. Since the machine doesn't have any additional services loaded on it but VNC (which doesn't cause the effect) and what comes with the MS box and is installed per default, I wonder what service opens that port for what reason.

Hadn't have tried the forensic tool yet, do so as time permits.

...Armin
0
 
LVL 4

Author Comment

by:arminl
ID: 6301955
Have done further research why MS software leaves an open port LISTENING. This issue seems to be a hot topic in sources dealing with firewalling.

ths short of it: since nobody can peek into the source code, nobody knows wether this thing is useful, or just an implementation bug. The open port seems not to do any harm though: blocking it on the firewalls doesn't seem to affect any functionality, and nobody ever saw anyone or anything successfully connect to it. Some people suspect there could be some spy software for Microsoft behind it, but this is only an assumption, very likely false.

Fact is that tehre is always an open port LISTENing on one of the lowest dynamical ports, but it's not always the same, sometimes it is 1025, sometimes 1027 or anything close.

My own theory is that, since such a port could be used for interprocess communications over Winsocket ports, some Microsoft internal processes on the local machine could probaby make use of this ports to talk to each other.

I give the points to Droby10 for the pointer to the excellent tool (in my opinion). Though it has in this case listed "System" and an unknown PID of 2 as the owner of the port it has provided accurate infos about what is bould to all the other ports, a question I could not easily answer with what comes with NT so far.

...Armin
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Resolve DNS query failed errors for Exchange
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now