Friday, May 7, 2010

lsof for Windows subsitute

5/10/2010 update to this post (see below)
I've created a couple of Vista cmd files that pump netstat output to tasklist to help substitute for the missing`lsof -Ts` in Linux (see below). The TCP/TCPv6 output logs the time, IP address (foreign endpoint), application information. The (stateless) UDP/UDPv6 output just logs time and application information.  (See output below). The value of logging network endpoints and their process information is incalculable in security. Mark Russinovich's procmon (when run with the network filter) does this quite thoroughly.  Microsoft's Netmon 3.3 correlates endpoint data packets to most applications. However, I was interesting in developing something cmd line, perhaps not so heavy, using all native Vista commands. The crux of the scripts are:

:: pipe appropriate netstat output to tasklist
for /f "tokens=1-5" %%a in ('@netstat -%netstat_option% -p %connection_type% ^| findstr /V Active ^| findstr /V Proto') do set EP=%%c& set PID=%%e& call :loop
..
::log Endpoint and network process PID
@echo "%timestamp%","%EP%", | findstr /V "ECHO"
@tasklist /FO CSV /V /FI "PID eq %PID%" /NH

 With an automated check of network %PID% in place, you can add options to check/log the open files of each network application with the (very slow) 'openfiles' command:
[The 'openfiles' cmd works once global flags are enabled.]

for /f "tokens=1-5" %a in ('openfiles /query /FO TABLE /NH /V') do @if %c==%PID% echo %e >> temp
...
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064
...
Adding Mark Russinovich's accesschk will show the security permissions on those files:

for /f %i in ('more temp') do @accesschk -qv %i | more
....
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064\avcodec-52.dll
Medium Mandatory Level (Default) [No-Write-Up]
RW RMFVista\Admin
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
....
The cmd files can be found here: 
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_TCP.cmd
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_UDP.cmd


5/10/2010 update:
An update which takes any of four arguments (TCP,TCPv6,UDP, UDPv6) and logs to a CSV file output as below can be found at http://www.rmfdevelopment.com/PowerShell_Scripts/ano_all.cmd
ano_all.cmd output for TCP
"05.10.2010_11.35.21.34","LISTENING","0.0.0.0:1029","0.0.0.0:0","services.exe","740","Services","0","9,532"
"05.10.2010_11.35.21.82","LISTENING","0.0.0.0:9000","0.0.0.0:0","System","4","Services","0","21,204"
"05.10.2010_11.35.22.34","LISTENING","192.168.0.3:139","0.0.0.0:0","System","4","Services","0","21,204"
"05.10.2010_11.35.22.84","CLOSE_WAIT","192.168.0.3:1059","174.133.89.198:80","pctsSvc.exe","856","Services","0","195,660"
"05.10.2010_11.35.23.33","ESTABLISHED","192.168.0.3:1072","85.13.200.108:21","ftp.exe","2568","Console","1","6,388"
"05.10.2010_11.35.23.82","ESTABLISHED","192.168.0.3:1080","74.125.155.139:80","chrome.exe","4404","Console","1","62,576"
"05.10.2010_11.35.24.31","ESTABLISHED","192.168.0.3:1082","72.14.213.191:80","chrome.exe","4404","Console","1","62,576"


ano_TCP.cmd output for TCP
(note: It would be trivial to add the connection state as well. I did in ano_all.cmd as remarked above -RMF)

"05.06.2010_21.30.31.74","174.133.89.198:80",
"pctsSvc.exe","3368","Services","0","24,588 K","Unknown","NT AUTHORITY\SYSTEM","0:15:51","N/A"
"05.06.2010_21.30.32.20","72.14.213.99:80",
"Picasa3.exe","4248","Console","1","128,588 K","Running","RMFVista\Admin","0:02:16","Picasa 3"
"05.06.2010_21.30.32.69","72.14.213.101:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.15","74.125.127.191:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.60","74.125.127.105:443",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.34.12","74.125.127.139:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"

 ano_UDP.cmd output for UDP   
(note: No foreign IP addresses ever shows up in Microsoft's netstat for protocol UDP...as far as I can tell.)

"05.06.2010_21.29.42.51","*:*",
"nc.exe","4120","Console","1","572 K","Unknown","RMFVista\Admin","0:00:00","N/A"
"05.06.2010_21.29.44.07","*:*",
"svchost.exe","1196","Services","0","3,400 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:01","N/A"
"05.06.2010_21.29.44.50","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.44.99","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.45.42","*:*",
"svchost.exe","1288","Services","0","17,136 K","Unknown","NT AUTHORITY\NETWORK SERVICE","0:00:03","N/A"
"05.06.2010_21.29.45.87","*:*",
"VCSW.exe","5644","Services","0","3,540 K","Unknown","NT AUTHORITY\SYSTEM","0:00:04","N/A"

lsof (Linux 4.78) sample output
lsof -Ts | grep -i Firefox | grep IPv4
firefox 5756 root 5lu IPv4 22403 TCP 192.168.0.5:40814->nuq04s01-in-f113.le100.net:www (ESTABLISHED)
Posted by Ryan M. Ferris at 12:44 PM
Labels: , , , ,

2 comments:

  1. Ryan M. FerrisMay 10, 2010 at 10:05 PM

    I had to post a few versions of ano_all.cmd before I got it right...

    ReplyDelete
  2. AndrewMay 12, 2010 at 9:01 AM

    i don't understand any of this. but, i'm trying to learn about these things! i will come back sometime, maybe pick up something..

    ReplyDelete

Subscribe to: Post Comments (Atom)