Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

(200 Points) Some questions about netstat output

The questions I have this time have many times been asked on the net, but never were answered.

The output of netstat on a NT4 box shows the following mysterious ports beeing open and in listening state:

127.0.0.1:1027
0.0.0.0:1028

This arises some questions:

? what are they good for

? is there a program to do further tracking of the NT internals to get a hint (program name, dll name, anything that helps) what service or other software is bound to those ports, or other ports in general?

? when local ports are listed, I sometimes get ports
0.0.0.0
127.0.0.1
192.168.16.100 (local IP adress) as the source adress. Now I wonder what the difference is, if there is a difference at all.

I have, like usual, already checked various Internet sources (newsgroups, ms-kb, Technet) with no success. Especially the port 1027 questionseems to be a quite common one for people dealing with firewalling, but nobody ever got any satisfactory answer.

For a complete answer of all questions, the reward is 200. I do assume that probably more than one expert contributes. Splitting points on EE is still difficult. So I rate the question 100, and either increase points or post a dummy for other contributors when accepting and grading.

...Armin
0
arminl
Asked:
arminl
  • 5
  • 4
  • 3
  • +2
1 Solution
 
Dufo G. BelskiRetired bureaucrat/desktop supportCommented:
Well, 127.0.0.1 is just the loopback address of your own computer.  That's the sum total of my knowledge on the subject! ;->
0
 
tonnybrandtCommented:
Look in c:\winnt\system32\drivers\etc\services
This has some of the ports and services listed

At this page, there are further info and links regarding port assignments.
http://www.packetstorm.securify.com/papers/firewall/firewall-seen.htm
0
 
tonnybrandtCommented:
Also i suggest that you do a
route print
in a dosbox.

This will show you the routing table of your computer, and how the nic's ipaddress, default gateway and loopback is connected. (Although it sometimes can be pretty tough to read if there are several adapters and dialup connections)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
arminlAuthor Commented:
Whatever there may be listed in the services table -- that's definitely not what's bound to ports 1027 and 1028 on a NT box. With the exception of ports 135 ... 139 the services table is completely irrelevant for NT networks anyway.

...Armin
0
 
jbudaCommented:
Port numbers are divided into three ranges:
The Well Known Ports are those from 0 through 1023. These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP
traffic.
The Registered Ports are those from 1024 through 49151. These are loosely bound to services, which means that while there are numerous services "bound" to these ports, these ports are likewise used for many other purposes.
For example, most systems start handing out dynamic ports starting around 1024.
The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no service should be assigned to these ports.
In reality, machines start assigning "dynamic" ports starting at 1024. We also see strangeness, such as Sun starting their RPC ports at 32768.
Where to get a more complete list of port info:
     ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
          "Assigned Numbers" RFC, the official source for port assignments.

     http://advice.networkice.com/advice/Exploits/Ports/
           Database of port numbers, hyper-linked to various exploits on those port numbers.

     /etc/services
          On UNIX systems, the file /etc/services contains a list of commonly used UNIX port number assignments. On Windows NT, this file is located in %systemroot%/system32/drivers/etc/services.

regards
jbuda
0
 
tonnybrandtCommented:
Buda:
Look at my previous post. Your comment is a cut and paste from that URL.
http://www.packetstorm.securify.com/papers/firewall/firewall-seen.htm
0
 
jbudaCommented:
I think it needed to be told again....

dont you agree?


jbuda
0
 
tonnybrandtCommented:
Can't argue with that. I too think it is good and valid info for this question.

Regards
Tonny
0
 
arminlAuthor Commented:
Don't argue, experts.

The major points are still: what service is listening on port 1027, is there a tool to get hints which unknown service is bound to a port, and what is the difference between 0.0.0.0, 127.0.0.1 and the own IP adress in the socket listing of the netstat program.

Thanks for the info that SUN does not assign theit dynamic ports according to the RFCs as well. People usually complain about Microsoft doing things that way.

Armin
0
 
tonnybrandtCommented:
From the page:
http://www.edukaty.com/halpc/sdocs/firewall_faq.html

This info about port 1027

1024 ----- Many people ask the question what this port is used for. The answer is that this is the first port number in the dynamic range of ports. Many applications don't care what port they use for a network connection, so they ask the operating system to assign the "next freely available port". In point of fact, they as for port 0, but are assigned one starting with port 1024. This means the first application on your system that requests a dynamic port will be assigned port 1024. You can test this fact by booting your computer, then in one window open a Telnet session, and in another window run "netstat -a". You will see that the Telnet application has been assigned port 1024 for its end of the connection. As more applications request more and more dynamic ports, the operating system will assign increasingly higher port numbers. Again, you can watch this effect with 'netstat' as your browse the Internet with your web browser, as each web-page requires a new connection.  
1025 ----- See port 1024.  
1026 ----- See port 1024.  
1027 ----- See port 1024.  

Tonny
0
 
Droby10Commented:
check out the command-line utility fport from foundstone...

http://www.foundstone.com/rdlabs/tools.php?category=Forensic
0
 
jbudaCommented:
I tried out the foundstone util just to see what info it gives..lots of references to system being the owner of ports but no futher detail when it comes to that.

I'll follow this thread though..curiosity killed the process..
jbuda

0
 
Droby10Commented:
hmmm...it tells me exactly what process is bound to what port...it's the winnt/2k equivalent of sockstat or lsof for unix.
0
 
arminlAuthor Commented:
Please note that what was bothering me was not any service using the port 1027, but that the port was in LISTEN state. This means that there is a service bound to the port and ready to receive data, not a client like telnet. Since the machine doesn't have any additional services loaded on it but VNC (which doesn't cause the effect) and what comes with the MS box and is installed per default, I wonder what service opens that port for what reason.

Hadn't have tried the forensic tool yet, do so as time permits.

...Armin
0
 
arminlAuthor Commented:
Have done further research why MS software leaves an open port LISTENING. This issue seems to be a hot topic in sources dealing with firewalling.

ths short of it: since nobody can peek into the source code, nobody knows wether this thing is useful, or just an implementation bug. The open port seems not to do any harm though: blocking it on the firewalls doesn't seem to affect any functionality, and nobody ever saw anyone or anything successfully connect to it. Some people suspect there could be some spy software for Microsoft behind it, but this is only an assumption, very likely false.

Fact is that tehre is always an open port LISTENing on one of the lowest dynamical ports, but it's not always the same, sometimes it is 1025, sometimes 1027 or anything close.

My own theory is that, since such a port could be used for interprocess communications over Winsocket ports, some Microsoft internal processes on the local machine could probaby make use of this ports to talk to each other.

I give the points to Droby10 for the pointer to the excellent tool (in my opinion). Though it has in this case listed "System" and an unknown PID of 2 as the owner of the port it has provided accurate infos about what is bould to all the other ports, a question I could not easily answer with what comes with NT so far.

...Armin
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now