Blog

Archive for June 20th, 2019

Netstat Local and Remote -new and improved, now with more PowerShell!, (Fri, Jun 21st)

Hi again, time for more Powershell!

This all started with me troubleshooting on a customer’s server, and cursing Microsoft’s decision to spread the output of “netstat -naob” across two lines.  Likely they made that decision out of spite – you know, just so I can’t grep the information that I actually need out of it.

Which got me to thinking about doing this in Powershell.  It’ll be easy I thought, just slam together the output of:

Get-Process
Get-NetTCPConnection
Get-NetUDPEndpoint

Join them up into one list, and dump the output right?

Hmm… except that to do a Get-Process with the associated account info (the -IncludeUserName option), you need elevated rights.  So that means I need a check for that.  And wait, the fields don’t *exactly* match up, and the Get-NetUDPEndpoint doesn’t actually spell out what’s listening, we need to stuff that into the field …  OK, it did get a bit complicated once I got into it.  The final script for both TCP and UDP is below.  Note that you’ll only get the account info if you run it with admin rights:

$Processes = @{}

# first check if we’re running elevated or not, so we don’t error out on the Get-Process command
# note that account info is only retrieved if we are elevated

if ((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
        # Elevated – get account info per process
        Get-Process -IncludeUserName | ForEach-Object {
        $Processes[$_.Id] = $_
        }
    }
else
    {
        # Not Elevated – don’t collect per-process account info
        Get-Process  | ForEach-Object {
        $Processes[$_.Id] = $_
        }
    }
 
# Query Listening TCP Ports and Connections
$Ports = Get-NetTCPConnection |
        Select-Object LocalAddress,
        RemoteAddress,
        @{Name=”Proto”;Expression={“TCP”}},
        LocalPort,RemotePort,State,
        @{Name=”PID”; Expression={ $_.OwningProcess }},
        @{Name=”UserName”; Expression={ $Processes[[int]$_.OwningProcess].UserName }},
        @{Name=”ProcessName”; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }},
        @{Name=”Path”; Expression={ $Processes[[int]$_.OwningProcess].Path }} |
        Sort-Object -Property LocalPort, UserName

# Query Listening UDP Ports (No Connections in UDP)
$UDPPorts += Get-NetUDPEndpoint |
        Select-Object LocalAddress,RemoteAddress,
        @{Name=”Proto”;Expression={“UDP”}},
        LocalPort,RemotePort,State,
        @{Name=”PID”; Expression={ $_.OwningProcess}},
        @{Name=”UserName”; Expression={ $Processes[[int]$_.OwningProcess].UserName}},
        @{Name=”ProcessName”; Expression={ $Processes[[int]$_.OwningProcess].ProcessName}},
        @{Name=”Path”; Expression={ $Processes[[int]$_.OwningProcess].Path}} |
        Sort-Object -Property LocalPort, UserName
foreach ($P in $UDPPorts) {
    if( $P.LocalAddress -eq “0.0.0.0”) {$P.State = “Listen”} }

$Ports += $UDPPorts

$Ports | ft

PS C:> $Ports | ft

LocalAddress                 RemoteAddress   Proto LocalPort RemotePort       State   PID UserName                     ProcessName              Path                                                                                
————                 ————-   —– ——— ———-       —–   — ——–                     ———–              —-                                                                                
0.0.0.0                      0.0.0.0         TCP         135          0      Listen    72 NT AUTHORITYNETWORK SERVICE svchost                  C:WINDOWSsystem32svchost.exe                                                     
::                           ::              TCP         135          0      Listen    72 NT AUTHORITYNETWORK SERVICE svchost                  C:WINDOWSsystem32svchost.exe                                                     
172.23.8.171                 0.0.0.0         TCP         139          0      Listen     4                              System                                                                                                       
192.168.142.1                0.0.0.0         TCP         139          0      Listen     4                              System                                                                                                       
169.254.98.213               0.0.0.0         TCP         139          0      Listen     4                              System                                                                                                       
192.168.254.1                0.0.0.0         TCP         139          0      Listen     4                              System                                                                                                       
::                           ::              TCP         445          0      Listen     4                              System                                                                                                       
0.0.0.0                      0.0.0.0         TCP         902          0      Listen  5456 NT AUTHORITYSYSTEM          vmware-authd             C:Program Files (x86)VMwareVMware Workstationvmware-authd.exe                   
0.0.0.0                      0.0.0.0         TCP         912          0      Listen  5456 NT AUTHORITYSYSTEM          vmware-authd             C:Program Files (x86)VMwareVMware Workstationvmware-authd.exe  
(and so on)

 

So now, if you want just the listening ports, you can get that with a simple grep:

 

 

PS C:> $ports | ? State -eq ‘Listen’ | ft

LocalAddress   RemoteAddress Proto LocalPort RemotePort  State   PID UserName                     ProcessName              Path                                                                                  
————   ————- —– ——— ———-  —–   — ——–                     ———–              —-                                                                                  
0.0.0.0        0.0.0.0       TCP         135          0 Listen    72 NT AUTHORITYNETWORK SERVICE svchost                  C:WINDOWSsystem32svchost.exe                                                       
::             ::            TCP         135          0 Listen    72 NT AUTHORITYNETWORK SERVICE svchost                  C:WINDOWSsystem32svchost.exe                                                       
169.254.98.213 0.0.0.0       TCP         139          0 Listen     4                              System                                                                                                         
172.20.10.2    0.0.0.0       TCP         139          0 Listen     4                              System                                                                                                         
10.50.254.132  0.0.0.0       TCP         139          0 Listen     4                              System                                                                                                         
192.168.254.1  0.0.0.0       TCP         139          0 Listen     4                              System                                                                                                         
192.168.142.1  0.0.0.0       TCP         139          0 Listen     4                              System                                                                                                         
::             ::            TCP         445          0 Listen     4                              System                                                                                                         
0.0.0.0        0.0.0.0       TCP         902          0 Listen  5456 NT AUTHORITYSYSTEM          vmware-authd             C:Program Files (x86)VMwareVMware Workstationvmware-authd.exe                     
0.0.0.0        0.0.0.0       TCP         912          0 Listen  5456 NT AUTHORITYSYSTEM          vmware-authd             C:Program Files (x86)VMwareVMware Workstationvmware-authd.exe                     
0.0.0.0        0.0.0.0       TCP        1536          0 Listen   600                              wininit                                                                                                        
::             ::            TCP        1536          0 Listen   600                              wininit                                                                                                        
::             ::            TCP        1537          0 Listen  1268 NT AUTHORITYSYSTEM          svchost                  C:WINDOWSsystem32svchost.exe                                                       
0.0.0.0        0.0.0.0       TCP        1537          0 Listen  1268 NT AUTHORITYSYSTEM          svchost                  C:WINDOWSsystem32svchost.exe                                                       
0.0.0.0        0.0.0.0       TCP        1538          0 Listen  1840 NT AUTHORITYLOCAL SERVICE   svchost                  C:WINDOWSSystem32svchost.exe                                                       
::             ::            TCP        1538          0 Listen  1840 NT AUTHORITYLOCAL SERVICE   svchost                  C:WINDOWSSystem32svchost.exe                                                       
::             ::            TCP        1539          0 Listen  3816 NT AUTHORITYSYSTEM          spoolsv                  C:WINDOWSSystem32spoolsv.exe                                                       
0.0.0.0        0.0.0.0       TCP        1539          0 Listen  3816 NT AUTHORITYSYSTEM          spoolsv                  C:WINDOWSSystem32spoolsv.exe                                                       
0.0.0.0        0.0.0.0       TCP        1545          0 Listen   684                              services                                                                                                       
::             ::            TCP        1545          0 Listen   684                              services                                                                                                       
::             ::            TCP        1546          0 Listen   740 NT AUTHORITYSYSTEM          lsass                    C:WINDOWSsystem32lsass.exe                                                         
0.0.0.0        0.0.0.0       TCP        1546          0 Listen   740 NT AUTHORITYSYSTEM          lsass                    C:WINDOWSsystem32lsass.exe                                                         
::1            ::            TCP        1670          0 Listen 10476 NT AUTHORITYSYSTEM          jhi_service              C:Program Files (x86)IntelIntel(R) Management Engine ComponentsDALjhi_service.exe
127.0.0.1      0.0.0.0       TCP        4767          0 Listen  4460 NT AUTHORITYSYSTEM          PanGPS                   C:Program FilesPalo Alto NetworksGlobalProtectPanGPS.exe                          
0.0.0.0        0.0.0.0       TCP        5040          0 Listen  2628 NT AUTHORITYLOCAL SERVICE   svchost                  C:WINDOWSsystem32svchost.exe                                                       
127.0.0.1      0.0.0.0       TCP        5354          0 Listen  5052 NT AUTHORITYSYSTEM          mDNSResponder            C:Program FilesBonjourmDNSResponder.exe                                            
::             ::            TCP        5357          0 Listen     4                              System                                                                                                         
127.0.0.1      0.0.0.0       TCP        5939          0 Listen  5252 NT AUTHORITYSYSTEM          TeamViewer_Service       C:Program Files (x86)TeamViewerTeamViewer_Service.exe                              
0.0.0.0        0.0.0.0       TCP        8099          0 Listen  4796 NT AUTHORITYSYSTEM          SolarWinds TFTP Server   C:Program Files (x86)SolarWindsTFTP ServerSolarWinds TFTP Server.exe              
127.0.0.1      0.0.0.0       TCP       44430          0 Listen  4384 NT AUTHORITYSYSTEM          FoxitConnectedPDFService C:PROGRAM FILES (X86)FOXIT SOFTWAREFOXIT READERFoxitConnectedPDFService.exe       
127.0.0.1      0.0.0.0       TCP       62522          0 Listen  2304 NT AUTHORITYSYSTEM          vpnagent                 C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Clientvpnagent.exe     
0.0.0.0                      UDP          69            Listen  4796 NT AUTHORITYSYSTEM          SolarWinds TFTP Server   C:Program Files (x86)SolarWindsTFTP ServerSolarWinds TFTP Server.exe              
0.0.0.0                      UDP        3702            Listen  4640 NT AUTHORITYLOCAL SERVICE   dasHost                  C:WINDOWSsystem32dashost.exe                                                       
0.0.0.0                      UDP        5353            Listen  2276 NT AUTHORITYNETWORK SERVICE svchost                  C:WINDOWSsystem32svchost.exe                                                       
0.0.0.0                      UDP        5355            Listen  2276 NT AUTHORITYNETWORK SERVICE svchost                  C:WINDOWSsystem32svchost.exe                                                       
0.0.0.0                      UDP        6096            Listen  6388 NT AUTHORITYSYSTEM          FortiESNAC               C:Program Files (x86)FortinetFortiClientFortiESNAC.exe                            
0.0.0.0                      UDP       51498            Listen  5252 NT AUTHORITYSYSTEM          TeamViewer_Service       C:Program Files (x86)TeamViewerTeamViewer_Service.exe                              
0.0.0.0                      UDP       52326            Listen  8568 NT AUTHORITYLOCAL SERVICE   svchost                  C:WINDOWSsystem32svchost.exe                                                       
0.0.0.0                      UDP       52410            Listen  2304 NT AUTHORITYSYSTEM          vpnagent                 C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Clientvpnagent.exe     
0.0.0.0                      UDP       58385            Listen  5052 NT AUTHORITYSYSTEM          mDNSResponder            C:Program FilesBonjourmDNSResponder.exe                                            
0.0.0.0                      UDP       59622            Listen     4                              System                                                                                                         
0.0.0.0                      UDP       59623            Listen     4                              System                                                                                                         
0.0.0.0                      UDP       60966            Listen  1276 DESKTOP-CPHGM1Irvlab01      mstsc                    C:WINDOWSsystem32mstsc.exe                                                         
0.0.0.0                      UDP       60967            Listen  1276 DESKTOP-CPHGM1Irvlab01      mstsc                    C:WINDOWSsystem32mstsc.exe                                                         
0.0.0.0                      UDP       62741            Listen  5268 NT AUTHORITYSYSTEM          vmnat                    C:WINDOWSSysWOW64vmnat.exe                                                         
0.0.0.0                      UDP       63327            Listen  4640 NT AUTHORITYLOCAL SERVICE   dasHost                  C:WINDOWSsystem32dashost.exe                                                       
0.0.0.0                      UDP       63448            Listen     4                              System                                                                                                         
0.0.0.0                      UDP       63449            Listen     4                              System   
                  

 

With that done, I got to thinking – what about running this across an entire domain, and then look for “outliers” – listening ports that only 1 or 2 hosts have open??  What would that look like?

GetProcess has a -ComputerName option, so we’re good there.
Get-NetTCPConnection doesn’t have a -ComputerName option, but it does have a -RemoteAddress option
However .. Get-NetUDPEndpoint has neither – local execution only (insert sad panda face here)

I guess we’ll need to do this all remotely then – we’ll make the whole script so far into a function, then call it using invoke-command for all stations in a domain – like this:

function PSNetstat {
$Processes = @{}

if ((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
        # Elevated – get account info per process
        Get-Process -IncludeUserName | ForEach-Object {
        $Processes[$_.Id] = $_
        }
    }
else
    {
        # Not Elevated – don’t collect per-process account info
        Get-Process  | ForEach-Object {
        $Processes[$_.Id] = $_
        }
    }
 
# Query Listening TCP Ports and Connections
$Ports = Get-NetTCPConnection |
        Select-Object LocalAddress,
        RemoteAddress,
        @{Name=”Proto”;Expression={“TCP”}},
        LocalPort,RemotePort,State,
        @{Name=”PID”; Expression={ $_.OwningProcess }},
        @{Name=”UserName”; Expression={ $Processes[[int]$_.OwningProcess].UserName }},
        @{Name=”ProcessName”; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }},
        @{Name=”Path”; Expression={ $Processes[[int]$_.OwningProcess].Path }} |
        Sort-Object -Property LocalPort, UserName

# Query Listening UDP Ports (No Connections in UDP)
$UDPPorts = Get-NetUDPEndpoint |
        Select-Object LocalAddress,RemoteAddress,
        @{Name=”Proto”;Expression={“UDP”}},
        LocalPort,RemotePort,State,
        @{Name=”PID”; Expression={ $_.OwningProcess}},
        @{Name=”UserName”; Expression={ $Processes[[int]$_.OwningProcess].UserName}},
        @{Name=”ProcessName”; Expression={ $Processes[[int]$_.OwningProcess].ProcessName}},
        @{Name=”Path”; Expression={ $Processes[[int]$_.OwningProcess].Path}} |
        Sort-Object -Property LocalPort, UserName
foreach ($P in $UDPPorts) {
    if( $P.LocalAddress -eq “0.0.0.0”) {$P.State = “Listen”} }

$Ports += $UDPPorts
$Ports
}

$targets =get-adcomputer -filter * -Property DNSHostName
$portlist = @()
$i = 1
$count = $targets.count

foreach ($targethost in $targets) {
   write-host $i of $count –  $targethost.DNSHostName
   if (Test-Connection -ComputerName $targethost.DNSHostName -count 2 -Quiet) {
       $portlist += invoke-command -ComputerName $targethost ${function:PSNetStat}
       ++$i
       }
   }
$portlist | export-csv all-ports.csv

Now you have all TCP and UDP ports, in all states in one giant CSV.  If you want, you can pull out the just listening ports using the “grep” method we used earlier, and you can mix-and-match it any way you please in either PowerShell or in Excel (we dumped it all into a CSV at the end).

Use our comment form if you run this and find anything odd in your network, we’re always interested in “odd”

===============
Rob VandenBrink
www.coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Using a Travel Packing App for Infosec Purpose, (Thu, Jun 20th)

My today’s diary will not be technical but could help you to better organize your next travel. This week, like many SANS ISC Handlers, I’m in Washington DC to attend SANSFIRE[1]. Based on our daily jobs, we have to travel quite often and, in my case, I’m always afraid to forget something important when I’m packing to visit a customer or to attend a security conference. When I’m attending a security conference, I’m always carrying a lot of electronics gadgets and stuff to be sure to be (safely) connected once in my hotel room: portable firewall, cables, adapters, etc. When you need to visit a customer for a specific mission, it’s even more important to not forget a device or piece of software to perform your tasks in good conditions. 

I’m using a travel packing apps to organize my travels. Based on the destination (country, climate, the period of the year) and duration (number of t-shirts, underwear, …), it generates a list of stuff to bring with you. Usually, this kind of applications has a pre-built list for holidays, business trips, sports activities etc.

I’m not promoting any application, I just bought the “pro” version of PackPoint (for a few $). This version allows to create custom packing lists. I created some based on my business tasks:

  • Incident Handling
  • Pentesting
  • Infosec conference

Let’s take the incident handling list as an example. You must be sure to bring everything with you to work in an efficient way. From a technical point of view: have the right tools, enough storage, licences. But also from an administrative point of view: on-site contacts, authorizations, documents, etc. Here is an example of a list of stuff to bring with you:

  • Contact information for people inside and outside the organizations.
  • Mobile phone and spare batteries
  • Camera
  • SIMM cards with data subscription
  • Powerful laptop(s) with enough CPU/RAM/storage
  • External performant storage (SSD/USB-3)
  • Portable hypervisor (like an Intel Nuc)
  • Raspberry Pi
  • Software (on CD/DVD, USB)
  • Network tap
  • Switch/cables/adapters
  • HD Write blocker
  • Blank media (USB, DVD/CD
  • Notebooks / pens
  • Tools (screwdrivers, cutters, tape)
  • Console cable (USB2Serial)
  • Forms (for evidence list and chain of custody)
  • Plastic bags
  • Live CDs
  • Food, water, jacket, sweet, spare t-shirt, deodorant (remember the “3-2-1 rule”: 3 hours of sleep, 2 meals, 1 shower

With the help of this kind of app, you are able to keep your packing list up to date and not miss important stuff when you need to leave in emergency!

If you are attending SANSFIRE, come to say hello, handlers are easy to find, we usually have our “black shirts”! 

[1] https://www.sans.org/event/sansfire-2019

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →