Solved

Script to extract either 'Port Scan' or 'NetStat' results on specific Ports 9080, 9081, 9082

Posted on 2013-01-31
18
1,380 Views
Last Modified: 2013-02-06
Hi Experts,

I've a requirement to investigate if Ports 9080, 9081 & 9082 are being binded/used on approx 2000 production servers without triggering any alarms for the Security folks.

The script should look for the servers in a Text File and should extract the results in the CSV format sorted out in a proper format.


I've had a look at a few scripts however with my limited PS or Scripting experience I'm not able to get the results.

Would appreciate if you could please prepare the script and also provide basic instructions on how to run it.

Thank you and I look forward to hearing from you soon.
0
Comment
Question by:japji
  • 9
  • 9
18 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 38842510
Hi, if you run Port Query V2 from here:
http://www.microsoft.com/en-au/download/details.aspx?id=17148

using the following command:
portqry.exe -n YOURSERVER -e 9080,9081,9082

does that give you the results you're after?  If so, we could script that to take in a list of servers.

Regards,

Rob.
0
 

Author Comment

by:japji
ID: 38849681
Hi RobSampson,

Thank you for your response.

The output of the above command is NOT CORRECT. There are couple of issues as below:

1) The results always says "Not Listening" even though net stat results shows it as "Established"

2) The above command only looks for the first port which is 9080 and doesn't goes over the second or third port.

Please assist with this issue. Thanks
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38849690
OK, not sure port query shows a different result.  So if you run these:
netstat -a | find /i "9080"
netstat -a | find /i "9081"
netstat -a | find /i "9082"

does that show you the corrent output?
0
 

Author Comment

by:japji
ID: 38849837
Hi RobSampson,

Thank you for your prompt response.

Ok so the command  --------->netstat -a | find /i "9080" <-------- works however the problem is that if the port is not binded it doesn't gives an error.

So what I would like is the script prepared with above commands to scan these ports on Remote Servers and if the above ports are not binded then to display some sort of message.

Is that Ok?
Thanks
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 38849934
OK, as long as your account has admin rights to the remote machines, this code should work with PSExec to run NetStat on the remote computers.  You can change the top four value assignments, and it should work.

Regards,

Rob.

strInputFile = "computers.txt"
' Make the log file accessible via UNC to the account running the script
strLogFile = "\\server\share\netstatresults.txt"
' Specify the path to PSExec
strPSExec = "\\server\share\psexec.exe"
' Specify the list of ports to search netstat output for
arrPorts = Array("9080", "9081", "9082")

Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1

strPSExec = objFSO.GetFile(strPSExec).ShortPath

WriteLog strLogFile, String(80, "=") & vbCrLf & "Script started " & Now & vbCrLf & String(80, "=")
Set objInputFile = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInputFile.AtEndOfStream
	strComputer = objInputFile.ReadLine
	If Ping(strComputer) = True Then
		WriteLog strLogFile, vbCrLf & "Scanning computer " & strComputer
		For Each strPort In arrPorts
			WriteLog strLogFile, "Checking port " & strPort
			strCommand = "cmd /c " & strPSExec & " -accepteula \\" & strComputer & " cmd /c netstat /a ^| find /i """ & strPort & """ ^>^> """ & strLogFile & """"
			objShell.Run strCommand, 0, True
		Next
	Else
		WriteLog strLogFile, vbCrLf & strComputer & " is offline"
	End If
Wend
objInputFile.Close 

WriteLog strLogFile, vbCrLf & "Script finished " & Now & vbCrLf
WScript.Echo vbCrLf & "Done. Please see " & strLogFile

Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Sub WriteLog(strFileToWriteTo, strMessage)
	Set objFSO = CreateObject("Scripting.FileSystemObject")
	Set objOutput = objFSO.OpenTextFile(strFileToWriteTo, 8, True)
	objOutput.WriteLine strMessage
	objOutput.Close
	Set objOutput = Nothing
End Sub

Open in new window

0
 

Author Comment

by:japji
ID: 38852873
Hi Rob,

What am I suppose to save the code as? I mean is it a .bat, vbs etc

Please advise back.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38853051
Sorry, it's a VBS file.
0
 

Author Comment

by:japji
ID: 38853515
Hi Rob,

The Script is not working. Below is what I'm doing:

- Saved the script as VBS
- Created a txt filed called 'computers' and dumpted my server names in it.
- Modified the top part of your script as below:

strInputFile = "computers.txt"
' Make the log file accessible via UNC to the account running the script
strLogFile = "\\10.4.34.140\Guru-Tools\netstatresults.txt"
' Specify the path to PSExec
strPSExec = "\\10.4.34.140\Guru-Tools\psexec.exe"
' Specify the list of ports to search netstat output for
arrPorts = Array("9080", "9081", "9082")



Please assist.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38853595
Is the VBS in the same location as the computers.txt file?  If not, then change
strInputFile = "computers.txt"

to something like
strInputFile = "\\10.4.34.180\Guru-Tools\computers.txt"

If so, what errors are getting?  Are you running the script with a user account that has admin rights to the remote servers?  If you're on Windows Vista or higher, right click cmd.exe and click Run as Administrator, then type
cscript "\\10.4.34.140\Guru-Tools\RunNetStat.vbs"

Regards,

Rob.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:japji
ID: 38853709
The script is still NOT working.

The answer to your questions are as follows:

- Yes both VB Script and Computers.txt file is in same folder

- VBSscript Run time error: File not found

- Yes I have Admin rights on all servers.

- Yes I've tried running the CMD in Admin mode too.


Please refer to the screenshot and the code that  I'm using:
EE.PNG
PortScan.txt
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38853801
From your screenshot, I can see that computers.txt is on a local folder (your desktop folder), but the script error shows the error from the network UNC path.  Can you put the computers.txt file in the \\10.4.34.180\Guru-Tools folder and see how that goes?

Rob.
0
 

Author Comment

by:japji
ID: 38857889
Still NO GO mate.

Please refer to the screenshot.

I've renamed the VBS file to RuNetStat and also copied the computers.txt file onto the shared folder.
EE.PNG
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38857977
Oops!  I just realised line 13 relates to the PSExec file.  In the script you have this:
strPSExec = "\\10.4.34.140\Guru-Tools\psexec.exe"

so make sure psexec.exe is there.

Regards,

Rob.
0
 

Author Comment

by:japji
ID: 38858097
Sorry Rob I'm a bit confused with your last response.

Are you saying that I need to modify my script to add this ---> strPSExec = "\\10.4.34.140\Guru-Tools\psexec.exe" as below


strCommand = "cmd /c " & strPSExec = "\\10.4.34.140\Guru-Tools\psexec.exe" & " -accepteula \\" & strComputer & " cmd /c netstat /a ^| find /i """ & strPort & """ ^>^> """ & strLogFile & """"


OR

Were you saying that I need to have PSEXEC on the server? if do then should it be in C:/Windows?
0
 

Author Comment

by:japji
ID: 38858100
* C:\WINDOWS
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38858104
You will need to have PSExec.exe located in the exact path that you specify with this line in the script:
strPSExec = "\\10.4.34.140\Guru-Tools\psexec.exe"

so put PSExec in that location, and it will be fine.  If you want to use PSExec locally, then put it on your C Drive, and use
strPSExec = "C:\Tools\psexec.exe"

and it will work fine.

Regards,

Rob.
0
 

Author Comment

by:japji
ID: 38858148
Ok so now the script is up to the next level.

It's spitting the results in the Txt file which is fine however it's not showing whether the port is binded or not.

See result of the script below:

================================================================================
Script started 6/02/2013 3:42:55 PM
================================================================================

Scanning computer A3GEO3P0055
Checking port 9080
Checking port 9081
Checking port 9082

Scanning computer A43657P0001
Checking port 9080
Checking port 9081
Checking port 9082

Scanning computer A43975P0001
Checking port 9080
Checking port 9081
Checking port 9082
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 38858183
If it's empty, then the command that was run remotely (eg netstat /a | find /i "9080") did not return any result, which means it wasn't found in the netstat /a output.

If the port is found (you can test with port 139 usually), then it will show the output.

Regards,

Rob.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

You may have already been in the need to update a whole folder stucture using a script. Robocopy does it well and even provides a list of non-updated files in a log (if asked to). Generally those files that were locked by a user or a process by the …
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now