Tuesday, July 29, 2008

Its not nmap but it gets the job done -- portqry

Scanning once you are on the LAN can pose a problem. Nmap requires installing pcap and usually an interactive install (metacab is an option depending on scope) and some AV's will flag on those types of things (which is understandable). Since there is no native scanning capability in windows you are forced to either install something or upload a standalone binary. Foundstone's scanline is one option but its not one of my favorites. You can write your own and upload that but I'd hate to have some custom code submitted to some AV vendor by some motivated admin. Or you can upload Microsoft's portqry.

C:\>portqry -n server1.company.com -e 3389
Querying target system called:
server1.company.com
Attempting to resolve name to IP address...
Name resolved to 10.1.1.1
querying...
TCP port 3389 (unknown service): LISTENING


Checking out the KB article on portqry will give you some of its more useful features.
Some fun options are its ability to send default ldap queries:

portqry -n myserver -p udp -e 389

UDP port 389 (unknown service): LISTENING or FILTERED
Sending LDAP query to UDP port 389...

LDAP query response:

currentdate: 12/13/2003 05:42:40 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com
dsServiceName: CN=NTDS Settings,CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com
namingContexts: DC=domain,DC=example,DC=com
defaultNamingContext: DC=domain,DC=example,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com
configurationNamingContext: CN=Configuration,DC=domain,DC=example,DC=com
rootDomainNamingContext: DC=domain,DC=example,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 4259431
supportedSASLMechanisms: GSSAPI
dnsHostName: myserver.domain.example.com
ldapServiceName: domain.example.com:myserver$@domain.EXAMPLE.COM
serverName: CN=myserver,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=example,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 0
forestFunctionality: 0
domainControllerFunctionality: 2

======== End of LDAP query response ========

UDP port 389 is LISTENING


and "sqlpings"

portqry -n 192.168.1.20 -e 1434 -p udp

You receive the following output:


Querying target system called:

192.168.1.20

querying...

UDP port 1434 (ms-sql-m service): LISTENING or FILTERED

Sending SQL Server query to UDP port 1434...

Server's response:

ServerName SQL-Server1
InstanceName MSSQLSERVER
IsClustered No
Version 8.00.194
tcp 1433
np \\SQL-Server1\pipe\sql\query

==== End of SQL Server query response ====

UDP port 1434 is LISTENING

It also does snmp queries and ISA queries and evidently RPC end-point mapping as well.

There are other fun features and the localhost options are worth looking into as well.

Some of the not so fun stuff. No randomizing ports. You can do an ordered list or ranges but no random. ONLY ONE HOST AT A TIME :-( but that's what batch files are for.

If anyone else is using this for pentests please let me know your thoughts.

Additional information on metacab: http://www.phx2600.org/forum/viewtopic.php?t=951&start=0

1 comment:

Philip Hartlieb said...

...enjoyed it. looks like it also lets you set up a watch on a local port or process pretty easily .. good stuff ... native tools #ftw .. thanks for the post.