TDS port question

Discussion in 'Trojan Defence Suite' started by Checkout, Mar 12, 2002.

Thread Status:
Not open for further replies.
  1. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Apologies if I'm revealing the depths of my ignorance, but does (or will) TDS have the facility to relate an open port to the process which opened it?

    MTIA
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Checkout,
    There is no native way supplied by Windows to achieve process-to-port mapping, but this is commonly requested feature so we have already developed a utility (actually a base service provider, it took a lot of sniffing around in the kernel but we've got it working nicely now and it has been complete for many months now) that will allow our upcoming TDS4 to see which ports are being used by which processes.

    Best regards,
    Wayne
     
  3. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Hmm...in the meantime, I found TCPview:

    Process:pID      Protocol      Local Address      RemoteAddress      Sent      Received      

    svchost.exe:688      TCP      martin:1025      LISTENING                  
    vsmon.exe:1096      TCP      martin:1026      LISTENING                  
    msmsgs.exe:2040      UDP      martin:1066      *:*                  
    msmsgs.exe:2040      UDP      martin:1068      *:*                  
    msmsgs.exe:2040      TCP      martin:1072      msgr-ns21.msgr.hotmail.com:1863      8/264      11/968      
    IEXPLORE.EXE:816      UDP      martin:1174      *:*      5259/5259      5259/5259      
    tds-3.exe:1592      TCP      martin:12345      LISTENING                  
    tds-3.exe:1592      TCP      martin:1243      LISTENING                  
    Proxomitron.exe:876      TCP      martin:1532      a62-41-113-20.deploy.akamaitechnologies.com:http      1/322      2/1790      
    msimn.exe:204      TCP      martin:1548      LISTENING                  
    msmsgs.exe:2040      TCP      martin:16180      LISTENING                  
    tds-3.exe:1592      TCP      martin:20034      LISTENING                  
    tds-3.exe:1592      UDP      martin:2140      *:*                  
    tds-3.exe:1592      TCP      martin:23432      LISTENING                  
    tds-3.exe:1592      TCP      martin:27374      LISTENING                  
    tds-3.exe:1592      UDP      martin:31337      *:*                  
    VisualZone.exe:1232      UDP      martin:3731      *:*                  
    tds-3.exe:1592      TCP      martin:5000      LISTENING                  
    tds-3.exe:1592      TCP      martin:6667      LISTENING                  
    msmsgs.exe:2040      UDP      martin:7078      *:*                  
    Proxomitron.exe:876      TCP      martin:8080      LISTENING                  
    tds-3.exe:1592      TCP      martin:9400      LISTENING                  
    svchost.exe:644      TCP      martin:epmap      LISTENING                  
    lsass.exe:488      UDP      martin:isakmp      *:*                  
    How come TDS listens on so many ports?  Does this defy stealthing?

    I'm more than a bit worried by these results, Wayne.
     
  4. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Sounds to me like you have initialized sockets and therefore asked TDS to listen on these ports.
     
  5. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    If you use the socket feature of TDS-3 you will get open ports. If you worry about it than disable the socket feature. TDS-3 has nothing to do with 'stealth' because TDS-3 is not a firewall.

    wizard
     
  6. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Gotcha.  Thanks.
     
  7. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    You'll make a lot of friends with that feature, Wayne!  Tx.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For sure! I tried a couple of the few available for Win98, but no big success, so wait patiently to try the real DCS stuff on my system.
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Some programs for process to port mapping are around, achieving this is not easy at all and some have rather mixed and inaccurate results, it is just something that has to be done the right way :)

    This feature when incorporated into TDS4 should be very accurate as to the process in question.
     
  10. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Gavin, thanks.  And to the other posters, yep - I had sockets initialised.  My fault.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Not fault, that's what the function is for. You could lay your watchdogs behind them :) and have a lot more "fun" if somebody wants to try them :D
     
  12. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Although it is normally the job of your firewall to take care of this part of things, it's not necessarely a bad thing to have sockets initialized.  Since only one app can own any port at any given time, once TDS listens on these ports, it owns them and any anyone trying to use them will automatically trigger a warning.
    A good firewall should still show you stealthed at GRC and i can only imagine you are using ZA (no, i don't like that one) for not being so.
     
  13. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Thanks, Mickey - useful comment.
     
Thread Status:
Not open for further replies.