ISC Stormcast For Friday, June 21st 2019 https://isc.sans.edu/podcastdetail.html?id=6550

Netstat Local and Remote -new and improved, now with more PowerShell!

Published: 2019-06-21
Last Updated: 2019-06-21 02:23:45 UTC
by Rob VandenBrink (Version: 1)

Hi again, time for more Powershell!

This all started with me troubleshooting on a customer's server, and cursing Microsoft's decision to spread the output of "netstat -naob" across two lines. Likely they made that decision out of spite - you know, just so I can't grep the information that I actually need out of it.

Which got me to thinking about doing this in Powershell. It'll be easy I thought, just slam together the output of:

Get-Process
Get-NetTCPConnection
Get-NetUDPEndpoint

Join them up into one list, and dump the output right?

Hmm... except that to do a Get-Process with the associated account info (the -IncludeUserName option), you need elevated rights. So that means I need a check for that. And wait, the fields don't *exactly* match up, and the Get-NetUDPEndpoint doesn't actually spell out what's listening, we need to stuff that into the field ... OK, it did get a bit complicated once I got into it. The final script for both TCP and UDP is below. Note that you'll only get the account info if you run it with admin rights:

$Processes = @{}

# first check if we're running elevated or not, so we don't error out on the Get-Process command
# note that account info is only retrieved if we are elevated

if ((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
        # Elevated - get account info per process
        Get-Process -IncludeUserName | ForEach-Object {
        $Processes[$_.Id] = $_
        }
    }
else
    {
        # Not Elevated - don't collect per-process account info
        Get-Process | ForEach-Object {
        $Processes[$_.Id] = $_
        }
    }

# Query Listening TCP Ports and Connections
$Ports = Get-NetTCPConnection |
        Select-Object LocalAddress,
        RemoteAddress,
        @{Name="Proto";Expression={"TCP"}},
        LocalPort,RemotePort,State,
        @{Name="PID"; Expression={ $_.OwningProcess }},
        @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName }},
        @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }},
        @{Name="Path"; Expression={ $Processes[[int]$_.OwningProcess].Path }} |
        Sort-Object -Property LocalPort, UserName

# Query Listening UDP Ports (No Connections in UDP)
$UDPPorts += Get-NetUDPEndpoint |
        Select-Object LocalAddress,RemoteAddress,
        @{Name="Proto";Expression={"UDP"}},
        LocalPort,RemotePort,State,
        @{Name="PID"; Expression={ $_.OwningProcess}},
        @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName}},
        @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName}},
        @{Name="Path"; Expression={ $Processes[[int]$_.OwningProcess].Path}} |
        Sort-Object -Property LocalPort, UserName
foreach ($P in $UDPPorts) {
    if( $P.LocalAddress -eq "0.0.0.0") {$P.State = "Listen"} }

$Ports += $UDPPorts

$Ports | ft

PS C:\> $Ports | ft

So now, if you want just the listening ports, you can get that with a simple grep:

PS C:\> $ports | ? State -eq 'Listen' | ft

LocalAddress   RemoteAddress Proto LocalPort RemotePort State   PID UserName                     ProcessName              Path
------------   ------------- ----- --------- ---------- -----   --- --------                     -----------              ----
0.0.0.0        0.0.0.0       TCP         135          0 Listen    72 NT AUTHORITY\NETWORK SERVICE svchost                  C:\WINDOWS\system32\svchost.exe
::             ::            TCP         135          0 Listen    72 NT AUTHORITY\NETWORK SERVICE svchost                  C:\WINDOWS\system32\svchost.exe
169.254.98.213 0.0.0.0       TCP         139          0 Listen     4                              System
172.20.10.2    0.0.0.0       TCP         139          0 Listen     4                              System
10.50.254.132 0.0.0.0       TCP         139          0 Listen     4                              System
192.168.254.1 0.0.0.0       TCP         139          0 Listen     4                              System
192.168.142.1 0.0.0.0       TCP         139          0 Listen     4                              System
::             ::            TCP         445          0 Listen     4                              System
0.0.0.0        0.0.0.0       TCP         902          0 Listen 5456 NT AUTHORITY\SYSTEM          vmware-authd             C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
0.0.0.0        0.0.0.0       TCP         912          0 Listen 5456 NT AUTHORITY\SYSTEM          vmware-authd             C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
0.0.0.0        0.0.0.0       TCP        1536          0 Listen   600                              wininit
::             ::            TCP        1536          0 Listen   600                              wininit
::             ::            TCP        1537          0 Listen 1268 NT AUTHORITY\SYSTEM          svchost                  C:\WINDOWS\system32\svchost.exe
0.0.0.0        0.0.0.0       TCP        1537          0 Listen 1268 NT AUTHORITY\SYSTEM          svchost                  C:\WINDOWS\system32\svchost.exe
0.0.0.0        0.0.0.0       TCP        1538          0 Listen 1840 NT AUTHORITY\LOCAL SERVICE   svchost                  C:\WINDOWS\System32\svchost.exe
::             ::            TCP        1538          0 Listen 1840 NT AUTHORITY\LOCAL SERVICE   svchost                  C:\WINDOWS\System32\svchost.exe
::             ::            TCP        1539          0 Listen 3816 NT AUTHORITY\SYSTEM          spoolsv                  C:\WINDOWS\System32\spoolsv.exe
0.0.0.0        0.0.0.0       TCP        1539          0 Listen 3816 NT AUTHORITY\SYSTEM          spoolsv                  C:\WINDOWS\System32\spoolsv.exe
0.0.0.0        0.0.0.0       TCP        1545          0 Listen   684                              services
::             ::            TCP        1545          0 Listen   684                              services
::             ::            TCP        1546          0 Listen   740 NT AUTHORITY\SYSTEM          lsass                    C:\WINDOWS\system32\lsass.exe
0.0.0.0        0.0.0.0       TCP        1546          0 Listen   740 NT AUTHORITY\SYSTEM          lsass                    C:\WINDOWS\system32\lsass.exe
::1            ::            TCP        1670          0 Listen 10476 NT AUTHORITY\SYSTEM          jhi_service              C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
127.0.0.1      0.0.0.0       TCP        4767          0 Listen 4460 NT AUTHORITY\SYSTEM          PanGPS                   C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
0.0.0.0        0.0.0.0       TCP        5040          0 Listen 2628 NT AUTHORITY\LOCAL SERVICE   svchost                  C:\WINDOWS\system32\svchost.exe
127.0.0.1      0.0.0.0       TCP        5354          0 Listen 5052 NT AUTHORITY\SYSTEM          mDNSResponder            C:\Program Files\Bonjour\mDNSResponder.exe
::             ::            TCP        5357          0 Listen     4                              System
127.0.0.1      0.0.0.0       TCP        5939          0 Listen 5252 NT AUTHORITY\SYSTEM          TeamViewer_Service       C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
0.0.0.0        0.0.0.0       TCP        8099          0 Listen 4796 NT AUTHORITY\SYSTEM          SolarWinds TFTP Server   C:\Program Files (x86)\SolarWinds\TFTP Server\SolarWinds TFTP Server.exe
127.0.0.1      0.0.0.0       TCP       44430          0 Listen 4384 NT AUTHORITY\SYSTEM          FoxitConnectedPDFService C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FoxitConnectedPDFService.exe
127.0.0.1      0.0.0.0       TCP       62522          0 Listen 2304 NT AUTHORITY\SYSTEM          vpnagent                 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
0.0.0.0                      UDP          69            Listen 4796 NT AUTHORITY\SYSTEM          SolarWinds TFTP Server   C:\Program Files (x86)\SolarWinds\TFTP Server\SolarWinds TFTP Server.exe
0.0.0.0                      UDP        3702            Listen 4640 NT AUTHORITY\LOCAL SERVICE   dasHost                  C:\WINDOWS\system32\dashost.exe
0.0.0.0                      UDP        5353            Listen 2276 NT AUTHORITY\NETWORK SERVICE svchost                  C:\WINDOWS\system32\svchost.exe
0.0.0.0                      UDP        5355            Listen 2276 NT AUTHORITY\NETWORK SERVICE svchost                  C:\WINDOWS\system32\svchost.exe
0.0.0.0                      UDP        6096            Listen 6388 NT AUTHORITY\SYSTEM          FortiESNAC               C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe
0.0.0.0                      UDP       51498            Listen 5252 NT AUTHORITY\SYSTEM          TeamViewer_Service       C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
0.0.0.0                      UDP       52326            Listen 8568 NT AUTHORITY\LOCAL SERVICE   svchost                  C:\WINDOWS\system32\svchost.exe
0.0.0.0                      UDP       52410            Listen 2304 NT AUTHORITY\SYSTEM          vpnagent                 C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
0.0.0.0                      UDP       58385            Listen 5052 NT AUTHORITY\SYSTEM          mDNSResponder            C:\Program Files\Bonjour\mDNSResponder.exe
0.0.0.0                      UDP       59622            Listen     4                              System
0.0.0.0                      UDP       59623            Listen     4                              System
0.0.0.0                      UDP       60966            Listen 1276 DESKTOP-CPHGM1I\rvlab01      mstsc                    C:\WINDOWS\system32\mstsc.exe
0.0.0.0                      UDP       60967            Listen 1276 DESKTOP-CPHGM1I\rvlab01      mstsc                    C:\WINDOWS\system32\mstsc.exe
0.0.0.0                      UDP       62741            Listen 5268 NT AUTHORITY\SYSTEM          vmnat                    C:\WINDOWS\SysWOW64\vmnat.exe
0.0.0.0                      UDP       63327            Listen 4640 NT AUTHORITY\LOCAL SERVICE   dasHost                  C:\WINDOWS\system32\dashost.exe
0.0.0.0                      UDP       63448            Listen     4                              System
0.0.0.0                      UDP       63449            Listen     4                              System

With that done, I got to thinking - what about running this across an entire domain, and then look for "outliers" - listening ports that only 1 or 2 hosts have open?? What would that look like?

GetProcess has a -ComputerName option, so we're good there.
Get-NetTCPConnection doesn't have a -ComputerName option, but it does have a -RemoteAddress option
However .. Get-NetUDPEndpoint has neither - local execution only (insert sad panda face here)

I guess we'll need to do this all remotely then - we'll make the whole script so far into a function, then call it using invoke-command for all stations in a domain - like this:

function PSNetstat {
$Processes = @{}

# Query Listening UDP Ports (No Connections in UDP)
$UDPPorts = Get-NetUDPEndpoint |
        Select-Object LocalAddress,RemoteAddress,
        @{Name="Proto";Expression={"UDP"}},
        LocalPort,RemotePort,State,
        @{Name="PID"; Expression={ $_.OwningProcess}},
        @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName}},
        @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName}},
        @{Name="Path"; Expression={ $Processes[[int]$_.OwningProcess].Path}} |
        Sort-Object -Property LocalPort, UserName
foreach ($P in $UDPPorts) {
    if( $P.LocalAddress -eq "0.0.0.0") {$P.State = "Listen"} }

$Ports += $UDPPorts
$Ports
}

$targets =get-adcomputer -filter * -Property DNSHostName
$portlist = @()
$i = 1
$count = $targets.count

foreach ($targethost in $targets) {
   write-host $i of $count - $targethost.DNSHostName
   if (Test-Connection -ComputerName $targethost.DNSHostName -count 2 -Quiet) {
       $portlist += invoke-command -ComputerName $targethost ${function:PSNetStat}
       ++$i
       }
   }
$portlist | export-csv all-ports.csv

Now you have all TCP and UDP ports, in all states in one giant CSV. If you want, you can pull out the just listening ports using the "grep" method we used earlier, and you can mix-and-match it any way you please in either PowerShell or in Excel (we dumped it all into a CSV at the end).

Use our comment form if you run this and find anything odd in your network, we're always interested in "odd"

===============
Rob VandenBrink
www.coherentsecurity.com

Keywords: Netstat PowerShell

3 comment(s)

Internet Storm Center

Netstat Local and Remote -new and improved, now with more PowerShell!

Comments