Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

CCS 10.5.1 Custom Check

Created: 04 Jan 2013 | 4 comments

Has anyone ever written a check to determine if ports are opn on a desktop machine?  

We are trying to write one that will let us know if Ports 5800 and Port 5900 are open on Windows 7 machines.  

Comments 4 CommentsJump to latest comment

Conventus Tyrrell's picture

Not sure that there's a check in Windows to check for open ports (I know this check IS available on *nix). An easier way to go about it would be to check to see if the service that listens on those ports is running... assuming you know which service it is that should be listening. Not quite what you were looking for, but should get you to the same spot.

Chris Tyrrell

ctyrrell@conventus-sei.com

Conventus Corp.

Chaitali's picture

BindView does not offer a direct ports query. But depending on what you are looking for, you may want to run a BV-C Windows Registry query - and filter the below mentioned keys by "Key/Value Name" field in BindView. Please refer to: https://www.microsoft.com/security/portal/threat/e... "The following system changes may indicate the presence of RemoteAccess:Win32/UltraVNC: Presence of these registry keys: HKEY_LOCAL_MACHINE\Software\UltraVnc HKEY_LOCAL_MACHINE\Software\ORL HKEY_CURRENT_USER\Software\ORL When the program is in use, it may open and await connections on TCP ports 5800 and 5900" Hope this helps! Thanks, Chaitali

elliev's picture

Thanks!  I was able to develop a query to list all the permitted TCP ports <LIST>

It is suppose to provide a list of all permitted ports, but it is coming back and just stating permit all.  I am not if you have any thoughts on how to get an actual list vs. just having it say 'permit all,' but figure I would throw it out there.  Thanks again.  

Conventus Tyrrell's picture

I believe that the query you created shows the Windows Firewall configuration and does not list out what ports are actually being listened on. In order to detemine active listening ports, you would need a port scanner, which CCS Standards Manager does not do.

If you need this capability, you would need to use CCS Vulnerability Manager. What application listens on those ports? If you know that, you can develop a check to see if that app is running. Not sure if there's another way to get at this using just CCS Standards Manager.

Chris Tyrrell

ctyrrell@conventus-sei.com

Conventus Corp