I was aware of PortQry but didn’t know it has a GUI counterpart too PortQryUI. For a quick read on PortQry check out this link, if you have more time and interest check out this KB article. PortQry/ PortQryUI can be used to check the status of TCP and UDP ports on a remote computer. For TCP ports I usually do a telnet to the port (by habit) but didn’t have any equivalent tool for UDP ports.
Important PortQry switches (as a reference to myself) are:
-n
-> specifies the server name/ IP address to target-p
-> specifies the protocol to test (options aretcp
orudp
orboth
; default istcp
)-e
-> specifies the port(s) to test (default is port 80)- note: it is possible to specify a single port (e.g.
-e 81
), ports (e.g.-e 80,81
) or a range (e.g.-e 80-1024
) - note: the ports must be in the range 1-65535
- note: it is possible to specify a single port (e.g.
- instead of
-e
you can use either of the following too:-r
-> specifies a port range (e.g. –r 80:90
)-o
-> specifies a comma-separated list of ports to check in order (e.g.-o 80,443,139
)
Some other switches are:
-nr
-> stops PortQry from resolving an IP address to a name-sl
-> waits longer for replies from UDP systems (sl
== slow link)-l
-> specifies a log file to output to-y
-> will over-write the log file if it exists, without prompting
While writing this post I learnt that PortQry can also enumerate the local ports. Nice!
- The
-local
switch will list all active TCP/UDP ports on the local system. (Think of it asnetstat -a
but without any details of the remote end). - The
-wport (port number)
switch will watch a specified port’s state and report when it changes- This didn’t work for me, got an error “Port to process mapping is not supported on this system”.
- The
-wpid (PID)
switch will watch a specified process ID (PID) and reports when its state changes- This too didn’t work for me, same error as above.
A good thing about PortQry is that it can also query protocols that it’s aware of. Thus, for instance, if you query port 53/ UDP (DNS) and something’s listening at the remote end, PortQry can send an additional DNS query to that port.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
D:\PortQryV2>PortQry.exe -n 8.8.8.8 -p udp -e 53 Querying target system called: 8.8.8.8 Attempting to resolve IP address to a name... IP address resolved to google-public-dns-a.google.com querying... UDP port 53 (domain service): LISTENING or FILTERED Sending DNS query to UDP port 53... UDP port 53 is LISTENING |
This is useful in AD troubleshooting too. For instance, to check whether port 389 of a DC has an LDAP server listening as it should be:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
C:\PortQryV2>PortQry -n win-dc01 -e 389 Querying target system called: win-dc01 Attempting to resolve name to IP address... Name resolved to 10.50.0.20 querying... TCP port 389 (ldap service): LISTENING Using ephemeral source port Sending LDAP query to TCP port 389... LDAP query response: currentdate: 01/30/2015 06:01:12 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=rakhesh,DC=local dsServiceName: CN=NTDS Settings,CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local namingContexts: DC=rakhesh,DC=local defaultNamingContext: DC=rakhesh,DC=local schemaNamingContext: CN=Schema,CN=Configuration,DC=rakhesh,DC=local configurationNamingContext: CN=Configuration,DC=rakhesh,DC=local rootDomainNamingContext: DC=rakhesh,DC=local supportedControl: 1.2.840.113556.1.4.319 supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: 131289 supportedSASLMechanisms: GSSAPI dnsHostName: WIN-DC01.rakhesh.local ldapServiceName: rakhesh.local:win-dc01$@RAKHESH.LOCAL serverName: CN=WIN-DC01,CN=Servers,CN=COCHIN,CN=Sites,CN=Configuration,DC=rakhesh,DC=local supportedCapabilities: 1.2.840.113556.1.4.800 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 3 forestFunctionality: 3 domainControllerFunctionality: 6 ======== End of LDAP query response ======== |
Similarly, RPC:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
C:\PortQryV2>PortQry -n win-dc01 -e 135 Querying target system called: win-dc01 Attempting to resolve name to IP address... Name resolved to 10.50.0.20 querying... TCP port 135 (epmap service): LISTENING Using ephemeral source port Querying Endpoint Mapper Database... Server's response: UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d ncacn_ip_tcp:win-dc01[49152] UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076 ncacn_ip_tcp:win-dc01[52075] UUID: 897e2e5f-93f3-4376-9c9c-fd2277495c27 Frs2 Service ncacn_ip_tcp:win-dc01[49228] UUID: 367abb81-9844-35f1-ad32-98f038001003 ncacn_ip_tcp:win-dc01[49199] UUID: 6bffd098-a112-3610-9833-46c3f874532d ncacn_ip_tcp:win-dc01[49163] UUID: 5b821720-f63b-11d0-aad2-00c04fc324db ncacn_ip_tcp:win-dc01[49163] ... UUID: 12345778-1234-abcd-ef00-0123456789ab ncacn_np:win-dc01[\\pipe\\lsass] UUID: 12345778-1234-abcd-ef00-0123456789ab ncacn_ip_tcp:win-dc01[49155] UUID: 12345778-1234-abcd-ef00-0123456789ab ncacn_http:win-dc01[49157] UUID: 12345778-1234-abcd-ef00-0123456789ab ncacn_np:win-dc01[\\pipe\\6a5ea4888e20cb9b] UUID: 12345778-1234-abcd-ef00-0123456789ac ncacn_np:win-dc01[\\pipe\\lsass] UUID: 12345778-1234-abcd-ef00-0123456789ac ncacn_ip_tcp:win-dc01[49155] UUID: 12345778-1234-abcd-ef00-0123456789ac ncacn_http:win-dc01[49157] UUID: 12345778-1234-abcd-ef00-0123456789ac ncacn_np:win-dc01[\\pipe\\6a5ea4888e20cb9b] UUID: 12345778-1234-abcd-ef00-0123456789ac ncacn_ip_tcp:win-dc01[49158] ... |
In the output above, for instance, I query port 135/ TCP which is where the RPC end-mapper service listens. After querying this port and getting a response, PortQry asks it to enumerate the listening services. Of these UUID 12345887-...
is what the netlogon
service registers under, which as we can see from the above output is listening on ports 49155 (via TCP), 49158 (via TCP), and 49157 (via HTTP). (Netlogon registers with RPC and uses dynamic ports as we saw above, so querying the RPC end-mapper service is the only way to find what ports Netlogon is listening on).
In contrast to PortQry, PortQryUI has options to query for the services it is aware of. So, for instance, one can use it to query the “Domains and Trusts” service on a DC and it will do PortQry queries to port 135/TCP, port 389/BOTH, port 445/TCP, port 137/UDP, and a few other AD related ports and emit the output in a window (you can see part of the output in the screenshot below).