Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Where have all the COM Ports Gone? - How enumerating COM ports led to me finding a “misplaced” Microsoft tool - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Where have all the COM Ports Gone? - How enumerating COM ports led to me finding a “misplaced” Microsoft tool

In my work, I connect to routers switches, firewalls and other network gear daily.  Since laptops no longer come with serial ports (who exactly decided that this was a good idea?), this means that I use USB to serial port adapters.  In fact, I've got a nice collection of these things in the laptop bag - some work better than others for various functions (some do a better job at serial packet capture for instance), but the one thing most of them have in common is that when you plug them in, they'll pick some random serial port to use.

So if I'm working on a router or switch, I plug a dongle in, and then have to fire up windows device manager to go hunting and find out which serial port it got assigned.  This is an exercise of several mouse clicks. While I've gotten pretty quick at this over the years, frankly I'm tired of it.

My thought was - there's got to be a way to do this from the command line with WMIC.  WMIC gives you a unique access to the internals of Microsoft Windows, is available for or is native to all modern Windows Platforms, and is usually very simple to figure out.  Not today though, after 20 minutes of effort, one script prints the first COM port, the other catches the physical COM ports but not the USB ones.  So, in the best sysadmin tradition, after 20 minutes, I’ve (temporarily) given up on WMIC for this and decided to try a different approach.

This 1 line script will echo the serial ports on your machine, and what they are assigned to.  It uses the Microsoft REGDUMP command (this used to be part of the Windows Resource Kit, now part of the Microsoft Logo Tools available from http://download.microsoft.com).  It's a simple "show me the reg keys" script.

COMLIST.CMD


@echo off
regdump -r HKEY_LOCAL_MACHINEHARDWAREDEVICEMAPSERIALCOMM | find "="

So, a test run with 2 dongles plugged in on my laptop looks like:


C:>comlist
"DeviceAgereModem5"=(REG_SZ)"COM3"
"DeviceProlificSerial0"=(REG_SZ)"COM8"
"DeviceProlificSerial1"=(REG_SZ)"COM11"
 


It ain't pretty, but it finds what I need. 

The downside of the approach I took here is that you need REGDUMP.  If I'm using a customer's computer (this is sometimes the case), I need to fall back on the "go look in device manager" approach.  If anyone out there is having better luck using WMIC for this than I have, by all means post your (better than mine) solution to the comments section !

So what can else do we find in the Microsoft Logo Testing kit?

First of all, our two friends REGDUMP and REGDIFF
RegDump - Dumps specific registry keys, or the entire registry
RegDiff - Compares the two files before and after an operation to give you differences (I generally use REGDIFF against two REGDUMP files, hence the name)
Restart Manager - Allows you to stop most processes in Windows (except for “critical system processes”) by injecting a shutdown message using the rmshutdown api – more info on this tool here  http://msdn.microsoft.com/en-us/library/aa373524%28v=vs.85%29.aspx
RollBack – a set of tools to assist in rolling back an application install (to test the error recovery within an application install MSI file)
ThreadHijacker
- Allows you to crash a process by pausing a process thread, inject binary data into it’s address space, then resuming it.  Again, this is used to measure the robustness of applications.
 

=============== Rob VandenBrink Metafore ===============

Rob VandenBrink

481 Posts
ISC Handler
Instead of using regdump use the built in (xp and above) reg.exe. Then it'll work on your customer's computers as well.

reg query HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\SERIALCOMM | find "REG_SZ"
Anonymous
I guess I am just as happy the COM ports are gone. In general they are tricky beasts for users to deal with (getting BAUD rate and # stop bits set correctly), and I have encountered situations where certain types of devices just don't work with certain laptops due to an inability of the laptop to process data fast enough.

Some of the newer equipment that I see has a micro web server of some sort. From and ease of use standpoint that might be a good thing - from a security standpoint it opens up all sorts of potential issues. We all got new VOIP phones at work, and the telephone on my desk listens to port 80, and I can connect to with my browser.
Eric

43 Posts
If the computer has PowerShell installed:
Get-WMIObject -Class Win32_SerialPort | % { Write-Host "$($_.Name) ($($_.DeviceID))" }
Eric
3 Posts
Our brand new HP 6730b laptops all come with serial ports built in.

Also Tera Term always recognizes my usb-to-serial adapter and its associated com port. No need to go hunting in device manager.
kcny

1 Posts
I think the question isn't "who got rid of COM ports on laptops" but more "why does Cisco still use COM ports to connect to their devices?"
kcny
1 Posts
Jessica, what would be the alternative? usb?
Plugging into a switch local is the one point, using console servers for several hunderts of network devices around the world is a bit different.

Laptops are not the only devices to admin/deploy devices :)

I´m happy that most vendors still having serial ports.
Anonymous
Dell Latitude laptops still have nice Serial ports.

Linux USB COM ports don't pick random numbers. The first USB COM port will /dev/ttyUSB0, the second /dev/ttyUSB1 and so on.

Newer Cisco x900 (1900, 2900, etc) routers have USB ports now which allow you to connect the device ("B") end of the cable to them and they automatically show up as a USB COM port. Linux continues to just grab the first available free /dev/ttyUSB[0-9] port. One thing to note here is that you cannot use the router's serial CONsole port and the USB console port at the same time - connecting to USB will disable the serial on the router until you disconnect the USB.

This is all the more reason to have serial terminal server solutions in place using a management network to access them so you don't have to physically be on site or deal with cables.

Lastly, my favorite USB-serial vendor which has always just worked is Cool Gear:
http://www.coolgear.com/Category.cfm?catid=199&AZX=

I especially like their part XC-232-C which has two serial ports but uses just one USB connection. It shows up as /dev/ttyUSB0 & /dev/ttyUSB1 as expected under Linux.
Anonymous
Just do add a datapoint, on OS X these show up as /dev/tty.usbserial*.
Anonymous
This article has been plagiarized by a Gregory Evans/LIGATT Security website.

http://nationalcybersecurity.com/?p=48907

Rob, he did leave your article signature in the end of the article, but did not source or otherwise attribute this to you.
Anonymous
At least the COM ports were reliable. I've never found a USB to Serial dongle that didn't have occasional glitches. And being in a customer's telco closet is not a good time to have your console connection glitch. Its hard to find a transmission mechanism more trustworthy than a serial connection. GUIs still don't have the functionality as command line for most commerical-grade telecom equipment.
hacks4pancakes

48 Posts
Here's how to use PowerShell to search the registry:
Get-ItemProperty -Path "hklm:\hardware\devicemap\serialcomm\" -Name "*Prolific*"

That's assuming you're searching for a Prolific device. You could change that to your needs, or just remove the "-Name" parameter entirely.
hacks4pancakes
3 Posts
I just stumble on this post and I was compelled to leave a reply. I don't quite see the use of all this for just accessing a router! I've used the same USB-Serial adapter for many years with only a ONE-TIME setup (only once in MANY years). Now that's simplicity. ;)
I'm sure this script or explanation would be great for some bored Windows admin somewhere; well, the www is filled with WMI scripts like this. IMHO, I'm just having difficulty justifying all this for just finding out your COM port and accessing a router via the serial port--which frankly you'd only use if you've lost SSH access or if you're configuring a router from scratch.

It's simple:
a) the first time, first time ever, you use your USB-serial adapter (may be you bought a new one), you plug it into your favorite USB port (can't skip this)
b) install the driver if you have to (can't skip this)
c) then if you really want you could probably see the COM port via the "safe-removal pop-up" in window's task bar (bottom right corner........if not you have to dig up COM port # from dev. manager only ONCE). If you got Windows Vista or 7, just open your “Printers and Devices” (it shows the COM port in brackets, in plain site, with just ONE click).
d) if you're lucky enough to use SecureCRT, then you simply set up your console access connection with that COM port--ONCE. Or setup your HT and simply save it—that's it!
e) Then,all you have to do is plug the USB-serial dongle into the same USB port for simplicity; if you can remember router commands and passwords, remembering the first used USB port for your USB-serial adapter should be a walk in the part for you or as easy as pie (IMHO). I don't know too many people who'd have trouble with that. ;-p Sometimes even if you plug it into a different USB port, it still uses the same COM unless that COM is used by other functions.

If you're moving around to go to a router, I'm sure you're not dragging a printer which is plugged into your USB port (or other USB peripherals).....if you got a USB stick in the desired USB-serial port, well, it's probably much easier to disconnect and reconnect the USB stick to a different port than having to go through all this; so you can free up your favorite USB port for your dongle......but that's just in my view me....I can appreciate others might have a different opinion. :)
hacks4pancakes
1 Posts
You can use WMIC to ge the information you're looking for. The command is:

wmic path Win32_SerialPort get DeviceID,Name

- Roger
hacks4pancakes
1 Posts
Lucky you. I have an HP laptop too *brand new* with Windows 10 and Tera Term does not see my com ports. The device manager does, so I am puzzled. I hate to mess with the registry but apparently there is a missing key under HARDWARE\DEVICEMAP for serial comm.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!