TDS port question

Apologies if I'm revealing the depths of my ignorance, but does (or will) TDS have the facility to relate an open port to the process which opened it?

MTIA

 

Checkout,
There is no native way supplied by Windows to achieve process-to-port mapping, but this is commonly requested feature so we have already developed a utility (actually a base service provider, it took a lot of sniffing around in the kernel but we've got it working nicely now and it has been complete for many months now) that will allow our upcoming TDS4 to see which ports are being used by which processes.

Best regards,
Wayne

 

Hmm...in the meantime, I found TCPview:

ProcessID      Protocol      Local Address      RemoteAddress      Sent      Received      

svchost.exe:688      TCP      martin:1025      LISTENING                  
vsmon.exe:1096      TCP      martin:1026      LISTENING                  
msmsgs.exe:2040      UDP      martin:1066      *:*                  
msmsgs.exe:2040      UDP      martin:1068      *:*                  
msmsgs.exe:2040      TCP      martin:1072      msgr-ns21.msgr.hotmail.com:1863      8/264      11/968      
IEXPLORE.EXE:816      UDP      martin:1174      *:*      5259/5259      5259/5259      
tds-3.exe:1592      TCP      martin:12345      LISTENING                  
tds-3.exe:1592      TCP      martin:1243      LISTENING                  
Proxomitron.exe:876      TCP      martin:1532      a62-41-113-20.deploy.akamaitechnologies.com:http      1/322      2/1790      
msimn.exe:204      TCP      martin:1548      LISTENING                  
msmsgs.exe:2040      TCP      martin:16180      LISTENING                  
tds-3.exe:1592      TCP      martin:20034      LISTENING                  
tds-3.exe:1592      UDP      martin:2140      *:*                  
tds-3.exe:1592      TCP      martin:23432      LISTENING                  
tds-3.exe:1592      TCP      martin:27374      LISTENING                  
tds-3.exe:1592      UDP      martin:31337      *:*                  
VisualZone.exe:1232      UDP      martin:3731      *:*                  
tds-3.exe:1592      TCP      martin:5000      LISTENING                  
tds-3.exe:1592      TCP      martin:6667      LISTENING                  
msmsgs.exe:2040      UDP      martin:7078      *:*                  
Proxomitron.exe:876      TCP      martin:8080      LISTENING                  
tds-3.exe:1592      TCP      martin:9400      LISTENING                  
svchost.exe:644      TCP      martin:epmap      LISTENING                  
lsass.exe:488      UDP      martin:isakmp      *:*                  
How come TDS listens on so many ports?  Does this defy stealthing?

I'm more than a bit worried by these results, Wayne.

 

Sounds to me like you have initialized sockets and therefore asked TDS to listen on these ports.

 

If you use the socket feature of TDS-3 you will get open ports. If you worry about it than disable the socket feature. TDS-3 has nothing to do with 'stealth' because TDS-3 is not a firewall.

wizard

 

Gotcha.  Thanks.

 

You'll make a lot of friends with that feature, Wayne!  Tx.

 

For sure! I tried a couple of the few available for Win98, but no big success, so wait patiently to try the real DCS stuff on my system.

 

Some programs for process to port mapping are around, achieving this is not easy at all and some have rather mixed and inaccurate results, it is just something that has to be done the right way

This feature when incorporated into TDS4 should be very accurate as to the process in question.

 

Gavin, thanks.  And to the other posters, yep - I had sockets initialised.  My fault.

 

Not fault, that's what the function is for. You could lay your watchdogs behind them and have a lot more "fun" if somebody wants to try them

 

Although it is normally the job of your firewall to take care of this part of things, it's not necessarely a bad thing to have sockets initialized.  Since only one app can own any port at any given time, once TDS listens on these ports, it owns them and any anyone trying to use them will automatically trigger a warning.
A good firewall should still show you stealthed at GRC and i can only imagine you are using ZA (no, i don't like that one) for not being so.

 

Thanks, Mickey - useful comment.