Solved

How to Know if some one is Scan My PC for any Open Ports or Not

Posted on 2006-07-22
19
363 Views
Last Modified: 2013-12-04
Dear All,

Hi, this is my first time, for asking something regarding Security.

We are a small Network with 20 Clients, windows XP-Pro SP2.
we do not have any Dedicated Firewall, like ISA or any thing else.
We have one Domain Controller only.

Now, we discover that one of my user he Install the Software called GFI LANGUARD for Scan the Whole Network.

here is my question, how can i know if some one is scan my PC for searching for any OPEN PORTS or Not.

is there any Software can i install, so it will help me to determine what exactly i have , or to give me an alert, i have some one is trying to scan my PC for any Open Ports.

Please Update me .
0
Comment
Question by:rolamohammed
  • 7
  • 5
  • 4
19 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17159632
Firewall software can tell you, like ZoneAlarm, or you can look through the XP firewall log's to look for such behaviour. An IDS system like Snort can alert you to this activity also. Snort is based on behaviour and packet signatures, it can tell you if someone is using P2P software like Kazaa, Napster, etc.., it can identify certain scanners as well, most have a unique ping signatures that can make them identifiable. And much much more!

GFI LNSS is more than a scanner, it's also a audit tool, searching for things like, SNMP community string, windows patch levels, various registry settings, open ports, open shares, and possible exploits are tested.

-rich
0
 

Author Comment

by:rolamohammed
ID: 17159825
THanks for your Reply.

i have one user, he is trying to scan MY PC, which is the Best to downlaod in order to stop or notify me with the some one is trying to scan my PC , to see if i have an Open Ports or Not .

please advice me .

also, i have another question, i want to ask about it.

how do i know that, if there is some one have installed any Software for Know all the Password in-side My Network?

How can i know, because this user, i am really going mad becasue of him, i am afraid he is installing any Software to see all the Password for all the PC whcih we are using when we login, in order to trace us.

so how can i know if i have like this software or Not?

i do not deploy any Certificate or any Encryption messages for that .

Please guide me .
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17160177
You can do several things to know if he/she has installed such softwware, look through the installed software in the control panel of each pc (add/remove software)
Look at all the folders on each pc, use McAfee to scan for possible password crackers like Cain&Able, John-the-ripper, LC5, Pwdump, RainbowCrack, Ophcrack etc...
Users should not be admin's, they should be placed in the users group so they can't install such software, however, it doesn't necessarily prevent them from running it, most of the software i listed above can be run from a CD-Rom or other storage, it doesn't necessarily have to be installed.
If you can get upper managment permission, install an activity monitor like, B02k or Spector Pro, each can keep a log of key-strokes, and the users activity. Spector pro is able to be stealth, but Bo2k is not hidden.

Turn on the XP firewall, scan your pc from another on the lan to make sure the ports are closed that you want closed, use nmap, or Gfi's languard network security scanner
a typical nmap.exe command line scan is:
nmap.exe -sT -P0 -T5 ip.ip.ip.ip -v

I prefer zonealarm pro as a firewall. in fact it may be perfect for your situation. it can control what access's the NIC, and you can password protect that access. Install ZAP on his/her machine, next time they try to use GFI LNSS against your pc, ZA will ask him/her for a password before it can access the nic. That doesn't mean he/she doesn't have your passwords already...
-rich
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17161846
apart from the technical approaches to prevent this happening again, you need to report this issue to the management and suggest defining your internal IT policy which gives the proper ways that how an employee may use the company's computing resources including the network. it is an essential work, whatever how big a company is.
0
 

Author Comment

by:rolamohammed
ID: 17162411
Guys, thanks For your reply.

i got this on my Event viwer.--
-----------------------------------------------------------


The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1208
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 123
Allowed: No
User notified: No

-------------------------

so , what i did , i just restart my PC, Login locally without my Network Card connected to the Company Switch, and i want to see what is the meaning of this message .

if its apppear , agian , what is the meaninig of it, is it mean that , every thing is OPEN ?

How can i close it by using My FIREWALL on the XP-PRO.

can you Update me .
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17162556
no worries about this. port 123 is reserved for time sync on XP or W2K3, used by Windows Time service, hosted by svchost.exe. you should allow this kind of outgoing traffic, otherwise your clock can not be synchronized.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17162930
Open control panel, turn on the XP firewall. http://support.microsoft.com/?id=283673 or give ZoneAlarm a try http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

XP's Firewall logs can be viewed: http://support.microsoft.com/kb/875357/ (seperate from the event logs)
-rich
0
 

Author Comment

by:rolamohammed
ID: 17166605
Thanks Guys for your reply.

i want someone to answer me .

if i want to trace or Stop any one from being SCAN My NETWORK , is correct what i understood or not?

what i understood is, to trace or to stop any one from being scan my Netowrk, i have to have Introusion Detection Software / Hardware ( IDS ) , is that correct ?

and its available in CISCO IDS , or any other Product. so is that correct ?

---------------

also, 3 question for me.

1- Now , IF i HAVE ISA Server 2004  Either if tis ( Std, or Ent )  can i configure it to work as IDS internally in my LAN, so any one from my Internal Users tried to scan my network, the ISA will catch Him, is that correct ?

2- Generally , can ISA work as IDS for Both ( Internal & External ) , or ( Internal only ) or ( External only ) , or the ISA can work as IDS ?

3- What is the diffrent between ISA Firewall CLIENT , which is installed on the Windows XP Pro SP2, & Its built in Firewall, which we are talking about it, can i understand the deffirent please ?

or ISA FIREWALL CLIENT, is dedicated to Internet connection, while the XP is for internal Use ?
i get confused , please update me .

Please update me .


0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17167053
1&2: ISA does not do that.  ISA is a gateway working between internal LAN and external network.

it is true that ISA intends to protect your LAN but not by restricting or scanning internal communication. by filtering incoming and outgoing traffic instead.

3: ISA client is a program that transparently redirect all your internet access to ISA server, for better security control and performance. without using ISA client, you can still access the internet by NAT or proxy gateway.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17167592
An IDS will alert you to such activity, and IDP, such as Cisco's, or using SnortSam with Snort will function as an IDP. Snort also has an "in-line" mode that makes it natively support IDP functions, basically sending RST packets to the offending source. SnortSam will actually update your firewalls or router ACL's to block the traffic for an amount of time you specify.

The main prevention methods are:
Get Policies in place that clearly outline this type of program and behaviour is not tolerated within the company http://www.sans.org/resources/policies/
Keep users from being administrators so they can't install such programs.  http://xinn.org/win_bestpractices.html
Keep log's of installed programs, looking for unapporved software with a script or by hand. http://www.intersectalliance.com/projects/SnareWindows/
Parse the XP firewall logs of your machines http://www.intersectalliance.com/projects/SnareWindows/
Get and IDS or IDP solution to alert you to such activities http://snort.org/
-rich
0
 

Author Comment

by:rolamohammed
ID: 17175234
thanks for your reply

is there any way to have a script that i will run on the User side, so when ever he installed an Application, it will alert me by sending an E-mail.

please update me .
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 250 total points
ID: 17176686
it sounds possible but do you really think that the user would be willing to do so as you expect? :-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17176845
Logon Scripts are a good way to go, or a scheduled task that runs a script
http://www.xinn.org/logonscripting101.html
http://xinn.org/logonscripting102.html
http://www.xinn.org/RunasVBS.html
http://xinn.org/misc-scripts/wmi-inventory.txt
This will gather all the info from the "Add/Remove Programs" in the control panel.

======

On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
arrComputers = Array(".")
For Each strComputer In arrComputers
   WScript.Echo
   WScript.Echo "=========================================="
   WScript.Echo "Computer: " & strComputer
   WScript.Echo "=========================================="
   Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
   Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Product", "WQL", _
                                          wbemFlagReturnImmediately + wbemFlagForwardOnly)
   For Each objItem In colItems
      WScript.Echo "Caption: " & objItem.Caption
      WScript.Echo "Description: " & objItem.Description
      WScript.Echo "IdentifyingNumber: " & objItem.IdentifyingNumber
      WScript.Echo "InstallDate: " & objItem.InstallDate
      WScript.Echo "InstallDate2: " & WMIDateStringToDate(objItem.InstallDate2)
      WScript.Echo "InstallLocation: " & objItem.InstallLocation
      WScript.Echo "InstallState: " & objItem.InstallState
      WScript.Echo "Name: " & objItem.Name
      WScript.Echo "PackageCache: " & objItem.PackageCache
      WScript.Echo "SKUNumber: " & objItem.SKUNumber
      WScript.Echo "Vendor: " & objItem.Vendor
      WScript.Echo "Version: " & objItem.Version
      WScript.Echo
   Next
Next
Function WMIDateStringToDate(dtmDate)
WScript.Echo dtm:
      WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
      Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
      & " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
End Function

-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17176978
Here is the same thing on one line, you can copy the above script to a text file and rename it to a ".bat" file and call it via a logon script or scheduled task, or place this line in a txt file, rename to .bat and do the same

wmic.exe /output:C:\InstdPrograms.html PRODUCT get /format:hform.xsl

That's it! Saves the file to c:\InstdPrograms.html (you can change this to something else...)
-rich
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 17178208
I should note that the above scripts only list programs installed via a MSI installer package.
To get a more full list, you may have to query the registry, probably HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall directory

Something simple is
reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr "DisplayName" or
reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr "UninstallString"
neither are very good without more parsing...
-rich
0
 

Author Comment

by:rolamohammed
ID: 17182714
Guys,

Every one Thanks for his reply.

i will test the script,a nd i will come back, please do not close this subject
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now