Scanning Open Ports in Windows: A Quick Guide (Part 2)
In early 2012, I wrote an article called Scanning Open Ports in Windows: A Quick Guide that covered how to use NetStat.exe, Tasklist.exe, TCPView.exe and PortQry.exe to view open ports and troubleshoot client or server side application network connectivity issues. This article is a continuation of that and discusses three more free tools you can use to check for open ports – Telnet, CurrPorts.exe and TCPEye.exe.
To get started, one tool I thought would be worthy of a brief mention is Telnet. Using the telnet command you can quickly test if a specific port is open on a host in your network. To do this:
- Open a command prompt window
- Type telnet hostname port_number or telnet ip_address port_number
Replace hostname or ip_address with the name or IP address of the machine you wish to connect to, and port_number with the port number you want to test. You will see a blank screen if the connection was successful (indicating that the specified port is open).
Note: On Windows Vista/7/8, Telnet is disabled by default. To enable it:
- Go to the Control Panel > Programs and Features > Turn Windows features on or off
- Check Telnet Server and Telnet Client
- Click OK to have the features installed.
Another handy tool to add to your collection is CurrPorts. CurrPorts runs as a standalone application that displays all open TCP and UDP ports on your local computer and detailed information about which process opened those ports. Using this tool, you can also:
- Close unwanted TCP connections (when run under an admin account)
- Kill the process that opened the port
- Export the TCP/UDP port information to a file
- Filter the information that is displayed to show or hide TCP/UDP ports, ports that are listening, established, closed, and even flag ports that are not associated with a known application.
To open CurrPorts, simply extract the ZIP file and run CurrPorts.exe. It will immediately list information about all currently open ports. Use the Options menu to filter out which port information you wish to view.
The image below shows what a suspicious connection might look like if you were investigating a local machine. In this example, I created a small console application in C# to simulate client/server network connectivity that connects to port 6996 on the local IP address. You can use the “Remote IP Country” column on the far right of the window to give you a quick indication of where the remote server is located.
Note: In the real-world, a malicious process (e.g. botnet) would have a different remote address (for the purposes of this example the client and server processes are running on the same machine).
Whatever it is that you are investigating, look at the process name and port number together to determine if something seems out of the ordinary. Alternatively, if you are looking for a specific open port, sort the “Local Port” or “Remote Port” column and search for the port number in question.
The status bar at the bottom of the CurrPorts window shows the total amount of ports in use and the number of established remote connections.
Finally, similar to CurrPorts is an application called TCPEye. TCPEye also displays a list of all currently opened TCP/UDP ports on your local computer and shows detailed information about the process that opened the port. Like CurrPorts, TCPEye also allows you to:
- View which country the remote server is located
- Close unwanted TCP connections
- Save TCP/UDP port information into an HTML, XML or CSV file.
One standout feature in TCPEye is that if you notice a suspicious process (e.g. one that is connected to an open port and a remote address), you can right click on it and select “Check with VirusTotal” for the process information to be uploaded and analysed by VirusTotal (as shown in the image below).
One thing to note about TCPEye is that it does not run as a standalone application and will require installation first.
Do you know of any other free or open source tools you use to check for open ports? If so, we’d love to hear from you.